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Abstract 

Most  discrete  event  system  models  are  based  on  defining  the  alphabet  set  or  the  set  of 
events  as  a  fundamental  concept.  In  this  paper,  we  take  an  alternative  view  of  treating  the 
state  space  as  the  fundamental  concept.  We  approach  the  problem  of  controlling  discrete 
event  systems  by  using  predicates  and  predicate  transformers.  Predicates  have  the  advantage 
that  they  can  concisely  characterize  an  infinite  state  space.  The  notion  of  controllability  of 
a  predicate  is  defined,  and  the  supervisory  predicate  control  problem  introduced  in  this 
paper  is  solved.  A  closed  form  expression  for  the  weakest  controllable  predicate  is  obtained. 
The  problem  of  controlling  discrete  event  systems  under  incomplete  state  observation  is 
also  considered  and  observability  of  predicates  is  defined.  Techniques  for  finding  extremal 
solutions  of  boolean  equations  is  used  to  derive  minimally  restrictive  supervisors. 


1  Introduction 


Many  discrete  event  system  models  [24,  23,  25,  9,  11,  12]  are  based  on  defining  the 
alphabet  set  or  the  set  of  events  as  a  fundamental  concept.  The  language  of  a  deterministic 
system  characterizes  its  behavior,  and  two  systems  are  considered  equivalent  if  they  have 
the  same  alphabet  and  language  [9].  In  this  paper,  we  take  an  alternative  view  of  treating 
the  state  space  as  the  fundamental  concept.  Problems  treated  in  [22,  19,  3,  1,  18,  16,  7]  are 
also  formalized  with  a  similar  point  of  view. 

We  approach  the  problem  of  controlling  the  behavior  of  a  discrete  event  system  described 
in  terms  of  its  state  trajectories  by  using  predicates  and  predicate  transformers.  Predicates 
have  the  advantage  that  they  can  concisely  characterize  an  infinite  state  space.  Petri  net  ba¬ 
sed  models  have  also  been  used  for  describing  infinite  state  discrete  event  dynamical  systems 
[26,  17].  The  notions  of  two  types  of  predicate  transformers,  namely  strongest  postcondition 
( sp )  and  weakest  libei'al  precondition  ( wlp )  [5,  6,  8]  are  very  useful  in  characterizing  the  dy¬ 
namics  of  discrete  event  dynamical  systems.  In  this  paper,  we  study  the  system  dynamics 
in  the  framework  of  these  predicate  transformers.  We  use  the  notion  of  duality  of  predicate 
transformers  and  show  that  sp  and  wlp  are  duals  of  each  other.  Thus  one  of  the  predicate 
transformers  -  either  sp  or  wlp  -  can  be  treated  as  fundamental  and  the  other  as  a  derived 
notion.  In  this  paper  we  treat  sp  to  be  the  fundamental  predicate  transformer,  as  it  describes 
the  forward  evolution  of  the  system  behavior,  and  develop  the  supervisory  control  theory 
using  it. 

We  describe  a  few  basic  properties  -  strictness,  monotonicity,  disjunctivity,  conjunctivity 
etc.  -  of  predicate  transformers,  sp  is  a  strict,  monotone  and  disjunctive  predicate  trans¬ 
former,  while  its  dual  wlp  is  a  strict,  monotone  and  conjunctive.  One  or  more  of  these 
properties  of  sp  and  wlp  are  used  to  obtain  all  the  results  in  this  paper.  It  is  known  [6]  that 
a  predicate  equation  in  the  variable  predicate  Q  of  the  type  Q  :  f(Q)  ri  g{Q)  has  unique 
extremal  solutions,  provided  the  predicate  transformers  /,  g  satisfy  certain  basic  properties. 
We  use  the  extremal  solutions  of  such  predicate  equations  to  demonstrate  the  existence  and 
uniqueness  of  minimally  restrictive  [23,  2]  supervisors. 

We  introduce  the  supervisory  predicate  control  problem  as  the  problem  of  synthesizing 
a  supervisor  for  a  given  system  so  that  the  state  trajectories  of  the  system  remain  confined 
to  a  set  of  “legal”  states,  and  also  visit  all  the  states  in  the  set  of  legal  states.  Thus  the  set 
of  legal  predicate  corresponds  to  the  weakest  predicate  that  remains  invariant  under  control. 
A  special  case  of  this  problem  where  the  latter  constraint  is  relaxed  was  considered  in  [22]. 
The  notion  of  controllability  is  defined  and  it  is  shown  that  it  serves  as  a  necessary  and 
sufficient  condition  for  the  existence  of  a  supervisor  that  solves  the  supervisory  predicate 
control  problem.  A  different  definition  of  controllability  is  presented  in  [19],  which  can  be 
shown  to  be  equivalent  to  our  definition.  Our  definition  of  controllability  is  purely  in  terms 
of  the  predicate  transformer  sp,  which  results  in  a  more  compact  definition,  simplicity  of  the 
proofs  (as  demonstrated  by  the  proof  of  Theorem  4.5)  as  well  as  the  synthesis  techniques  of 
the  supervisors. 

In  this  paper,  we  also  address  the  problem  of  synthesizing  supervisors  for  the  case  when 
the  required  predicate  is  not  controllable.  This  problem  is  quite  important  and  is  not  ad¬ 
dressed  in  [19,  22].  We  show  that  if  the  given  “legal”  predicate  is  not  controllable,  then 
the  minimally  restrictive  supervisor  can  be  constructed  so  that  the  state  trajectories  of  the 
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controlled  system  remain  confined  to  and  also  visit  all  the  states  in  the  set  of  states  where 
the  weakest  controllable  legal  predicate  holds.  We  prove  that  the  weakest  controllable  predi¬ 
cate  stronger  than  the  required  predicate  exists  and  present  an  algorithm  for  computing  it. 
This  algorithm  is  then  used  for  constructing  the  minimally  restrictive  supervisor.  Thus  our 
work  extends  the  earlier  works  on  supervisory  predicate  control  [22,  19].  In  [22]  a  method  is 
presented  for  computing  the  weakest  ‘"invariant”  predicate  stronger  than  the  legal  predicate; 
which  can  also  be  computed  as  a  special  case  using  the  method  of  computing  the  weakest 
controllable  predicate  presented  in  this  paper. 

Next  we  consider  the  supervisory  predicate  control  problem  under  partial  state  observa¬ 
tions.  The  behavior  of  the  system,  i.e.  the  state  trajectories,  are  observed  under  a  “mask” 
which  maps  the  state  space  of  the  system  to  the  “observation  space”,  and  is  not  necessarily 
injective.  This  problem  is  much  harder,  as  the  controller  also  consists  of  a  state  estimator, 
and  based  on  its  state  estimates  takes  the  appropriate  control  actions.  This  problem  was 
first  addressed  in  [19]  and  a  solution  was  obtained  under  very  restrictive  assumptions  on  the 
desired  reachable  predicate.  This  is  because  the  observability  condition  obtained  in  [19]  is 
based  only  on  the  current  observations  and  ignores  all  the  past  observations.  We  obtain  the 
observability  condition  based  on  the  entire  available  information:  control  as  well  as  obser¬ 
vation;  present  as  well  as  past.  Thus  the  notion  of  observability  introduced  in  this  paper  is 
quite  general.  The  notion  of  dynamical  observers,  which  use  the  entire  history  for  estimating 
states,  is  presented  in  [3,  21].  However,  in  [3]  it  is  assumed  that  the  transition  events  are 
completely  known  at  all  the  transition  steps,  which  is  not  the  case  in  this  paper.  All  that  is 
known  is  at  any  transition  step  one  of  the  several  events  that  are  enabled  by  the  supervisor 
will  occur  and  cause  a  system  transition.  In  [21]  the  issue  of  synthesizing  dynamical  state 
estimator  for  a  partially  observed  system  was  addressed  and  no  control  was  exercised.  In 
this  paper  we  address  the  issue  of  simultaneously  estimating  the  state  and  controlling  the 
system  so  that  the  set  of  reachable  states  equals  the  required  legal  set  of  states. 

The  notion  of  observability  of  a  predicate  described  in  this  paper  also  leads  to  a  syn¬ 
thesis  technique  for  the  minimally  restrictive  supervisor.  Unlike  the  supervisory  control  of 
system  behavior  described  in  terms  of  event  trajectories  under  partial  observation  where  the 
minimally  restrictive  supervisor  does  not  exist  [20],  we  show  in  this  paper  that  it  is  possible 
to  construct  the  minimally  restrictive  supervisor  for  the  supervisory  predicate  control  pro¬ 
blem  under  partial  state  observation,  where  the  system  behavior  is  described  as  the  weakest 
invariant  predicate. 

The  advantage  of  using  predicates  and  predicate  transformers  to  represent  a  DEDS  is 
that  we  can  concisely  characterize  systems  with  a  very  large,  possibly  infinite,  number  of 
states.  This  is  illustrated  by  the  Readers-  Writers  example  considered  in  this  paper,  in  which 
case  the  state  space  is  infinite.  We  provide  a  technique  for  synthesizing  a  supervisor  so  as 
to  ensure  mutual  exclusion  of  readers  and  writers.  Also,  a  technique  is  provided  for  the  syn¬ 
thesis  of  the  minimally  restrictive  supervisor  for  a  modified  Readers- Writers  problem,  again 
with  infinite  state  space.  Thus  we  have  successfully  developed  a  technique  for  supervisory 
control  of  infinite  state  systems.  The  computational  complexity  of  our  approach  depends 
on  the  number  of  variables  and  conditional  assignment  statements  representing  the  system 
rather  than  the  actual  number  of  states  and  transitions.  Computationally  more  efficient  al¬ 
gorithms  for  supervisory  control  of  infinite  state  systems  need  to  be  developed  based  on  the 
theory  presented  in  this  paper.  Some  such  techniques  that  involve  mathematical  induction 
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as  an  analysis  tool  are  reported  in  [7],  and  further  research  on  this  issue  is  currently  under 
investigation. 


2  Notation  and  Terminology 

The  discrete  event  dynamical  system  (DEDS)  to  be  controlled  -  called  the  plant  -  is 
modeled  as  a  state  machine  (SM)  [10]  following  the  framework  of  [23].  Let  the  quadruple 
G  =f  (X,  E,  S,  Xq)  denote  a  SM  representing  a  plant;  where  X  denotes  the  state  set;  E  denotes 
the  finite  event  or  alphabet  set;  6  :  X  x  S  — >  X  denotes  the  partial  state  transition  function; 
and  xq  £  X  denotes  the  initial  state. 

A  supervisor  or  controller  for  the  given  DEDS  is  designed  so  that  the  behavior  of  the 
closed  loop  system  satisfies  certain  qualitative  constraints  described  in  terms  of  the  state  set 
of  the  plant.  The  event  set  is  partitioned  into  E  =  Eu  U  (S  —  Eu),  the  sets  of  uncontrollable 
and  controllable  events.  A  supervisor  for  the  given  plant  G  is  characterized  by  a  (static) 
control  law  S  :  X  — >  2s.  A  control  law  is  said  to  be  static  if  the  control  action  at  each  step 
depends  only  on  the  observation  at  that  step  (for  a  more  detailed  and  formal  definition  refer 
to  [15,  14]).  A  dynamic  control  law  will  be  considered  in  section  5,  where  the  supervisory 
control  problem  under  partial  observation  is  addressed. 

Thus  if  a  £  S  is  such  that  a  £  S(x)  for  some  x  £  X,  then  a  is  said  to  be  enabled  by  the 
supervisor  in  state  x.  Since  a  supervisor  can  disallow  only  controllable  events  from  occurring, 
we  also  have  for  each  x  £  A',  Eu(x)  C  S(x),  where  Elt(.r)  is  the  set  of  uncontrollable 
events  defined  at  state  an  The  controlled  system  is  then  described  by  the  state  machine 
Gs  =f  (A",  E,  8s,  Xq),  where  for  x  £  X  and  a  £  E,  Ss(x,a)  =  6(x,cr)  if  a  £  S(x),  and 
undefined  otherwise. 

Remark  2.1  One  way  to  implement  a  static  control  law  as  described  above  is  to  let  the 
subautomaton  of  G  corresponding  to  the  control  law  S  run  in  synchrony  with  G,  as  described 
in  [15,  14]. 

2.1  Predicates  and  Predicate  Transformers 

Next  we  introduce  a  few  definitions  from  the  theory  of  predicate  calculus  [5,  6,  8]  that 
we  use  in  this  paper  to  study  and  formulate  the  supervisory  predicate  control  problem.  Let 
V  denote  the  collection  of  predicates  defined  on  the  state  set  .A,  i.e.  if  P  £  V,  then  it  is  a 
boolean  valued  map  P  :  X  — *•  {0,  1}.  With  every  P  £  V,  we  associate  a  set  Xp  C  X  on 
which  P  takes  the  value  one,  i.e.  x  £  Xp  if  and  only  if  P(x)  =  1.  We  say  that  the  predicate 
P  holds  on  x  £  X  if  P(x)  =  1.  Conversely,  given  a  set  X'  C  X ,  it  can  be  associated  with 
a  predicate  Px’  €  V  such  that  Px'{x)  —  1  if  and  only  if  x  £  X' .  Thus  the  collection  of 
predicates  V  can  be  associated  with  the  power  set  2X  using  the  association  described  above. 
In  what  follows  next,  we  use  the  names  predicates  and  subsets  interchangeably.  The  symbols 
P,Q,R  etc.  are  used  for  denoting  predicates. 

Definition  2.2  Given  P  £  V,  its  negation ,  denoted  ->P,  is  another  predicate  defined  to  be: 
for  every  x  £  X,  -> P(x )  =  1  44  P(x)  =  0.  Given  an  indexing  set  A,  let  l\  £  V  for  each  A  £  A. 
Then  the  conjunction  Aaca  P\  is  defined  to  be:  for  every  x  £  .A,  Aaga  T\(x')  —  1  VA  £ 
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A ,P\(x)  =  1;  and  the  disjunction  \f\eAP\  is  defined  to  be:  for  every  x  €  X,  Vaga  P\(x)  = 

1  <£>  BA  £  A  s.t.  P\(x)  =  1. 

Definition  2.3  The  symbols  true  and  false  are  used  for  denoting  predicates  that  hold  on 
all  and  none  of  the  states  respectively,  i.e.  true(x)  =  l,Vi  €  A  and  false(x)  ~  0,Vx  €  X. 
Thus  true  —  false.  Also,  the  predicate  true  can  be  associated  with  the  entire  state  space 
X,  and  the  predicate  false  can  be  associated  with  the  empty  set  0. 

Example  2.4  Let  X  =  P2,  i.e.  the  state  space  equals  the  real  plane.  Let  x,y  be  state 
variables  taking  values  in  P.  Then  the  predicate  (x  <  y)  holds  in  those  states  in  P2  where 
the  value  of  the  variable  x  is  not  greater  than  that  of  variable  y.  Notice  that  predicates  can 
concisely  describe  an  infinite  state  space. 

The  quadruple  (P,  -q  A,  V)  forms  a  boolean  algebra  which  is  isomorphic  to  the  algebra  of 
subsets  of  X  under  the  operations  of  complementation,  intersection  and  union.  For  P\ ,  P2  £ 
P,  we  say  that  P\  P2  if  and  only  if  P\  A  P2  =  Pi,  or  Pi  V  P2  =  P2.  P\  is  said  to  be  stronger 
than  P2,  equivalently,  P2  is  said  to  be  weaker  than  P\  if  Pi  ■<  P2.  Note  that  induces  a 
partial  order  on  P,  i.e.  ^  is  a  reflexive,  transitive  and  antisymmetric  relation  on  P.  Since  ■< 
is  antisymmetric,  if  Pi,P2  £  P  are  such  that  P\  ■<  P2  and  P2  ■<  Pi,  then  Pi  =  P2,  i.e.  they 
are  the  same  predicate.  It  can  be  shown  that  the  partial  order  (P,  ^<)  is  also  complete  [9]. 

Let  T  denote  the  collection  of  all  predicate  transformers ,  i.e.  if  /  £  P,  then  /  :  P  — ►  P. 
We  use  the  symbols  /,  y,/i  etc.  to  denote  predicate  transformers. 

Definition  2.5  The  negation  ->/  for  some  /  €  p  is  defined  to  be  (~i/)(P)  =  _>(/(P))  for 
each  P  €  P.  The  conjunction  and  disjunction  of  an  arbitrary  set  of  predicate  transformers 
are  defined  in  an  analogous  way  and  are  obtained  by  taking  the  conjunction  and  disjunc¬ 
tion,  respectively,  over  the  set  of  image  predicates,  i.e.  given  an  arbitrary  indexing  set  A, 
(Aa«  h)(P)  =  Aa€a  (MP)),  and  (V  A«A  /a)(P)  =  Va£»(/a(P))  for  each  PfA 

Definition  2.6  Consider  G  (X,  S,  6,  £0).  For  each  <j£E,  sp a  :  P  — >■  P  is  defined  to  be: 
spa(P)  =f  Q,  where  Xq  =  {x  €  X  |  By  G  Xp  s.t.  d(y,cr)  =  x}.  We  use  sp, spu  to  denote 
Vaes5Pcr,VCTesu  sPa  respectively. 

Thus  spff{P)  is  the  predicate  which  holds  on  the  set  of  states  that  are  reached  by  the 
transition  cr  from  a  state  where  P  holds. 

Definition  2.7  For  the  system  G',  the  predicate  transformer  wlpa  £  T  for  each  a  £  £  is: 
wlp9(P)  =f  Q,  where  Xq  =  {x  £  X  |  either  6(x,a)  £  Xp  or  <5(:r,er)  is  undefined}.  The 
predicate  transformers  wlp,  wlpu  are  defined  to  be  AcreE  wlPa,  Acres „  wlpa  respectively. 

Thus  wlpa(P)  is  the  predicate  which  holds  in  those  states  where  either  the  transition  a 
is  not  defined  or  a  a  transition  from  them  leads  to  a  state  where  P  holds. 

Example  2.8  Let  the  state  space  be  P2.  We  will  use  the  pair  {x,y)  to  denote  an  arbitrary 
element  of  P2.  Consider  a  program  G  that  assigns  (x,y)  to  (x  +  y,x  —  y),  i.e. 


G  :  {x,y)  :=  (x  +  y,x- y). 
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Then  given  any  set  R  C  1 Z2,  it  gets  “transformed”  to  the  set  {(x',y')  j  (x’  —  x  +  y)  A  (y'  = 
x  —  y),{x,y)  €  R}  whenever  G  is  executed.  Let  the  predicate  (xy  >  10)  be  true  upon 
execution  of  G.  Then  the  predicate  (x2  —  y2)  >  10  must  be  true  before  execution  of  G.  In 
other  words,  wlp^Xtyy-[x+ytX^y)((xy  >  10))  =  (x2  -  y2  >  10). 

The  predicate  transformers  sp  and  wlp  as  defined  above  are  called  strongest  postcondition 
and  the  weakest  liberal  precondition  [5,  6,  8].  We  use  the  notation  sps(wlps)  to  denote  the 
strongest  postcondition  (weakest  liberal  precondition)  operator  induced  by  the  transition 
function  6s  of  the  controlled  system  G,$ ,  i.e.  sps  =  Vo-es isPs)<r  and  wlps  =  A<reziwlPs)<r- 
With  the  above  introduction  on  predicates  and  predicate  transformers  it  is  clear  that  a  DEDS 
can  also  be  represented  in  terms  of  predicates  and  predicate  transformers. 

Definition  2.9  G  (Vx ,  X ,sp,  /);  where  V\  corresponds  to  the  set  of  predicates  defined 
on  the  state  space  X  of  G\  E  denotes  the  event  set;  sp  €  J-  is  the  predicate  transformer 
corresponding  to  the  state  transition  function  of  G;  and  1  €  Px  corresponds  to  the  initial 
states  (also  called  initial  condition)  of  G. 

The  behavior  df  a  DEDS  is  essentially  described  by  sp  £  T  which  is  specified  using  the 
state  transition  function.  It  may  also  be  specified  using  a  finite  set  of  conditional  assignment 
statements  of  the  type: 

x  :  =  F(x)  if  C(x)  :  cr 

The  above  assignment  statement,  labeled  by  the  event  a ,  is  said  to  be  enabled  if  the  the 
condition  specified  as  the  predicate  C(x)  holds,  and  if  executed,  value  of  variable  x  becomes 
F(x).  Thus  given  any  predicate  P(x),  spa{P(x))  is  the  predicate  reached  after  the  execution 
of  a  and  can  be  readily  calculated  to  be  [P{F~1(x))  A  C'(F_1(x))],  where  F~l{x)  =  {x'  | 
F(x')  =  x}.  Similarly,  the  predicate  wlpa(P[x ))  can  be  easily  computed  to  be  [P(P(x))  A 
C(x)]  V  — >C7(x)]. 

Consider  for  example  a  conditional  assignment  statement: 

x,y  :=  x  +  y,x  -  y  if  x  >  y  :  a 

Let  P(x,y)  =  x  +  y>  10.  Then  sP<r(P(x,y))  =  [{^  +  ^  >  10}  A  >  ^}]  =  [(x  > 
10)  A  (y  >  0)];  and  in/p<T(P(x,  y))  =  [{(x  +  y)  +  (x  -  y)  >  10}  A  (x  >  y}]  V  [x  <  y\  =  [{(x  > 
5)  A  (x  >  y)}  V  {x  <  5}]. 

Note  that  the  DEDS  representation  as  described  in  Definition  2.9  describes  a  wide  range 
of  DEDS’s,  such  as  system  with  an  infinite  state  space,  a  nondeterministic  [10]  system,  or  a 
system  that  could  initially  be  in  a  set  of  states  where  the  predicate  I  holds.  Henceforth  we 
use  the  representation  of  G  introduced  in  Definition  2.9  for  describing  a  DEDS. 

Example  2.10  Consider  the  following  program  which  corresponds  to  the  Readers-Writers 
problem  written  in  a  programming  logic  adapted  from  UNITY  framework  [4].  Informally 
stated,  the  Readers-Writers  problem  can  be  expressed  as  a  DEDS  which  has  a  distributed 
database,  access  to  which  is  sought  by  an  infinite  numbers  of  readers  and  writers. 
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Program 

Rd-Wr 

declare 

nr,  nw 

:  integer 

st-rd,  st-wt,  end-rd ,  end-wt 

:  event 

initially 

nr,  nw 

=  0,0 

assign 

nr 

:=  nr  +  1 

:st-rd 

nr  —  1 

if  (nr  >  0) 

:end-rd 

nw 

:=  nw  +  1 

:st-wt 

nw  —  1 

if  [mu  >  0) 

:  end-wt 

end 

{Rd.Wr} 

The  declare  section  contains  the  description  of  the  program  variables.  The  state  variables 
nr,  nw  are  integer  type  and  denote  the  number  of  readers,  number  of  writers  respectively 
accessing  the  database.  Both  nr,  nw  are  bounded  below  by  zero.  Thus  the  state  space 
of  the  system  is  A/*2  which  is  infinite.  The  symbols  stjrd ,  st-wt,  end-rd ,  end-wt  correspond 
to  the  events  start-read,  start-write,  end-read,  end-write  respectively.  The  program  starts 
executing  with  the  system  being  in  the  initial  state  (( nr,nw )  —  (0,0)),  which  is  described 
in  the  initial  section  of  the  program.  The  system  evolves  according  to  the  execution  of  the 
“enabled”  assignment  statements  of  the  assign  section.  An  assignment  statement  is  said  to 
be  enabled  wl  - -never  the  condition  under  the  “if’  part  of  the  assignment  is  satisfied.  One 
of  the  enabled  assignment  statements  is  nondeterministically  picked  for  execution  and  upon 
execution  the  state  variables  accordingly  change  their  values.  The  entries  in  the  last  column 
of  the  assign  section  are  the  event  names  for  the  corresponding  assignment  statements. 

The  program  RxLWr  describes  a  DEDS  of  the  type:  G  =f  {Vx,  X,sp,  I);  where  Vx 
denotes  the  set  of  predicates  corresponding  to  the  subsets  of  the  state  set  X  =  Jf 2;  E  = 
{st _r d,  st-wt,  end-rd,  end -wt};  sp  corresponds  to  the  assignments  of  the  assign  section  as 
aforementioned;  and  /  =  (( nr,nw )  =  (0,0)). 

3  On  Solving  Predicate  Equations 

So  far  we  have  defined  the  notions  of  predicates  and  predicate  transformers.  Next  we 
consider  some  of  their  properties  and  describe  a  few  methods  for  solving  some  predicate 
equations  that  we  use  later  to  design  supervisors  for  a  given  DEDS.  Some  of  the  results 
presented  in  this  section  can  also  be  found  in  [6],  however,  we  present  their  proofs  here 
mainly  to  illustrate  the  proof  style  that  we  follow  throughout  the  paper. 

Definition  3.1  [6]  Consider  /  G  T ■  f  is  said  to  be  strict  if  /{false)  =  false-,  monotone 
if  P  d  Q  =>•  f{P)  d  f(Q)'i  disjunctive  if  /(Vaca^a)  =  Vasa/I-Aa);  and  conjunctive  if 
/(Aaga-Pa)  =  Aaga/OPa)  (A  denotes  an  arbitrary  indexing  set,  and  we  adopt  the  conven¬ 
tion  that  the  disjunction  as  well  as  conjunction  over  the  empty  set  is  predicate  false ,  i.e. 
Vasa  Aa  =  Aa£a  P\  =  false  if  A  =  0). 

It  is  easily  shown  that  spa{\/ XeA  -Pa)  =  Va<ea  sP<t{P*)i  as  {x  G  X  |  3A  €  A  :  3y  € 
Xpx  s.t.  d{y,a)  =  x}  =  3A  €  A  :  {x  6  X  \  3y  €  Xpx  s.t.  6{y,a)  =  x}.  Thus  sp  is 
disjunctive,  and  similarly  it  is  easily  verified  that  wlp  is  conjunctive. 

Example  3.2  To  illustrate  that  sp  is  disjunctive,  consider  the  program  of  Example  2.8,  and 
let  [x  +  y  <  1}  and  [( x,y )  =  (0, 1)]  be  two  predicates  on  the  state  space  1Z2.  Then  under 
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program  G,  sp([x  +  y  <  1])  =  ([a:  <  1]),  and  sp([(x,y)  =  (0,1)])  =  [(x,y)  =  (1,-1)].  Since 
[x  +  y  <  1]  V  [(x,y)  =  (0, 1)]  =  [x  +  y  <  1],  sp([x  +  y  <  1]  V  [(x,y)  =  (0, 1)])  =  sp([x  +  y  < 
1])  =  [x  <  1].  Notice  that  [x  <  1]  V  [(x,y)  —  (1,-1)]  =  [ x  <  1]  as  expected,  for  sp  is 
disjunctive. 

wlp  is  conjunctive;  to  illustrate  this  consider  two  predicates  xy  <  10  and  x  —  2  on  the 
state  space  7Z2.  Then  xy  <  10  A  (x  —  2)  —  y  <  5.  Consider  the  program  G  of  Example 
2.8.  Then  under  G,  wlp([xy  <  10])  =  [ x 2  —  y2  <  10],  wlp([x  —  2])  =  [x  +  y  =  2],  and 
wlp([y  <  5])  -\x  -y  <  5].  Note  that  [a2  -  y2  <  10]  A  [x  +  y  =  2]  =  [a:  -  y  <  5]  as  expected, 
for  wlp  is  conjunctive. 

Lemma  3.3  [6]  Consider  /  £  T 1 

1.  /  disjunctive  implies  that  /  is  strict  and  monotone. 

2.  /  conjunctive  implies  that  /  is  strict  and  monotone. 


Proof:  We  prove  the  first  part  of  Lemma  3.3;  the  proof  of  the  second  part  is  obtained  in  a 
similar  manner.  Let  P,  Q  £  V  be  arbitrary. 


/(Vasa  ft)  =  Va6a/(P0 
/(VacB-Pa)  =  Va£0/(Pa) 
f  (false)  =  false 
f  is  strict 

P  g  Q  =£•  P  V  Q  =  Q 
P±Q*HPvQ)  =  m) 
P±Q*f(P)vf{Q)  =  fm 

8.  P1Q*J(P)1AQ) 

9.  /  is  monotone 
This  completes  the  proof. 

We  define  the  following  operations  on  /  G  T 
ction  and  conjunction  above): 


1. 

2. 

3. 

4. 

5. 

6. 
7. 


;/  is  disjunctive 

; replace  A  by  0  in  1 

;from  2  and  using  Vaca  =  false 

;from  3 

;by  definition  of  ^ 

;  apply  /  on  5 
;/  is  disjunctive 

; follows  from  7  and  definition  of  G 
;from  8 


□ 


(we  have  already  defined  negation,  disjun- 


Definition  3.4  The  conjugate  of  /,  written  as  /,  is  defined  to  be  ,  i.e.  for  P  £  V, 
f(P)  —  ~'(f(~'P))\  the  disjunctive  closure  of  /,  written  as  /x,  is  defined  to  be  \jn>ofn ]  and 
the  conjunctive  closure  of  /,  written  as  /*,  is  defined  to  be  /\n>Q  fn ■,  where  /°  is  defined  to 
be  the  identity  predicate  transformer. 


Thus  sp(P)  characterizes  the  predicate  which  holds  in  states  that  cannot  be  reached  by 
a  single  transition  from  a  state  where  ->P  holds,  i.e.  in  states  that  either  have  no  transitions 
leading  into  them  or  which  can  be  reached  by  a  single  transition  only  from  those  states  where 
P  holds.  sp*(P)  denotes  the  predicate  which  holds  in  those  states  that  can  be  reached  by 
any  number  of  transitions  from  a  state  where  P  holds.  Thus  sp *  is  useful  in  characterizing 
the  set  of  reachable  states. 

wlp(P)  characterizes  the  predicate  which  holds  in  states  from  which  only  a  state  where  P 
holds  can  be  reached  by  a  single  transition.  wlp^(P)  characterizes  the  the  weakest  predicate 
stronger  than  P  that  is  closed  under  the  executions  of  G,  i.e.  Xwip^p)  is  the  supremal  E- 
invariant  [15,  14]  subset  of  Xp. 
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Lemma  3.5  Let  /  6  J-  be  monotone;  then 


1.  f(P)  dP&  f*{P)  d  P 

2.  P  d  f(P)  &Pd  f*(P)- 

Proof:  We  only  prove  the  first  part  of  Lemma  3.5;  the  proof  for  the  second  part  is  derived 
in  an  analogous  way.  Note  that  the  reverse  implication  is  obvious;  we  use  induction  on  the 
exponent  n  in  the  definition  of  /*  to  prove  the  forward  implication. 

1.  /*(P )  Z^  P  =>  f(P)  d  P  ;by  definition  of  /* 

2.  f°(P)  d  P  O  true  ;by  definition  of  /° 

3.  f(P)  d  P  =>■  /°(P )  d  P  ;from  2  (base  case  for  induction) 

4.  f(P)  d  P  =>  fn{P)  d  P  induction  hypothesis 

5.  f(P)  d  P  =>•  /(/n(P))  d  /(P)  ;apply  /  on  RHS  of  4,  and  /  monotone 

6.  f(P)  d  P  =>  fn+1(P)  d  P  simplifying  5 

7.  Vi  >  0  :  f(P)  d  P  =>  P(P)  d  P  ;from  3,  6  and  induction 

8.  f(P)  d  P  =>  f*{P )  ZZ:  P  ;taking  disjunct  wrt  i  in  7 

9.  f{P)  d  P  f*(P )  d  P  ;from  1  and  8 

This  completes  the  proof.  □ 

Since  sp  is  disjunctive,  it  is  also  monotone  (Lemma  3.3).  Thus  Lemma  3.5  applies  to  sp 
as  well;  the  implication  of  part  1  is  that  if  the  set  of  states  reached  by  a  single  transition 
is  contained  in  the  set  of  starting  states,  then  so  is  the  entire  set  of  reachable  states.  The 
implication  of  the  second  part  of  Lemma  3.5  applied  to  wlp  ( wlp  conjunctive  implies  wlp 
monotone  from  Lemma  3.3)  is  that  if  the  set  of  states  from  which  only  the  states  in  a  target 
state  set  can  be  reached  in  a  single  transition  contains  the  set  of  target  states,  then  so  does 
the  set  of  states  from  which  only  the  target  state  set  is  reached  in  all  numbers  of  transitions. 

Lemma  3.6  [6]  Consider  /  6  T . 

1.  If  /  is  disjunctive,  then  so  is  /*. 

2.  If  /  is  conjunctive,  then  so  is  /*. 

Proof:  As  above  we  omit  the  proof  of  the  second  part,  which  can  be  obtained  analogously 
to  the  proof  of  part  1  that  we  present  next.  It  suffices  to  show  that  fn  is  disjunctive  for 
each  n  €  M,  for  if  fn  is  disjunctive  for  each  n  6  W,  then  /*(Vaga  P\)  =  Vn>o  /"(Vaga  Pa)  = 
V  n>o  V  agA  /"”(Pa)  =  \!\z\Vn>ofn{P\)  =  Vaga/*(Pa)-  Hence  we  prove  disjunctivity  of  fn 
for  each  n  €  A/"  by  induction  on  the  exponent  n  in  the  definition  of  /*. 

'!•  Z1  =/  is  disjunctive  ;by  assumption  (base  case  for  induction) 

2.  fn+1  =  f(fn)  ;definition  of  exponent 

3-  /"(VagaPa)  =  Vaga/”(Pa)  induction  hypothesis 

4.  /"+1(VagaPa)  = /(Vaga/"(P\))  ;using  2  and  3 

5.  /”+1(Vaga  Pa)  =  Vaga  fn+l{P\)  ;from  4  and  /  is  disjunctive 

Thus  the  proof  is  completed.  □ 

Lemma  3.7  [6]  If  /  is  disjunctive  (conjunctive),  then  /  is  conjunctive  (disjunctive). 
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Proof:  The  proof  is  simple  and  based  on  application  of  De  Morgan's  law.  □ 

It  thus  follows  from  Lemma  3.6  that  spr  is  disjunctive,  and  from  Lemma  3.7  that  Jp  and 
are  conjunctive.  Similarly,  since  wlp  is  conjunctive,  so  is  wlp x  (Lemma  3.6)  and  wlp 
and  wlp*  are  disjunctive  (Lemma  3.7).  Next  we  quote  a  result  regarding  existence  of  the 
extremal  solution  of  a  predicate  equation,  the  proof  of  which  can  be  found  in  [6].  A  notation 
of  the  type  Q  :  f{Q)  T  HQ),  where  f.h  €  T  and  Q  G  V.  is  used  to  denote  a  predicate 
equation  in  the  variable  predicate  Q  such  that  it  staisfies  f(Q)  T  HQ)- 

Theorem  3.8  [6]  Consider  the  predicate  equation  Q  :  f{Q)  T  HQ)- 

1.  If  /  is  disjunctive  and  h  is  monotone,  then  the  weakest  solution  of  the  above  equation 
exists  (and  is  unique). 

2.  If  /  is  monotone  and  h  is  conjunctive,  then  the  strongest  solution  of  the  above  equation 
exists  (and  is  unique). 

An  immediate  consequence  of  Theorem  3.8  is  the  following  corollary: 

Corollary  3.9  Let  /  be  disjunctive  and  P  £  V  be  arbitrary;  then 

1.  the  weakest  solution  of  the  equation  Q  :  f[Q)  -<  P  exists. 

2.  the  weakest  solution  of  the  equation  Q  :  f(Q)  ■<  Q  exists. 

Proof:  1.  Follows  from  the  fact  that  P,  treated  as  a  constant  predicate  transformer,  is 
monotone. 

2.  Follows  from  the  fact  that  the  identity  function  is  monotone.  □ 

Next  we  show  that  there  exists  a  strong  relationship  between  the  set  of  disjunctive  and 
the  set  of  conjunctive  predicate  transformers.  A  result  of  similar  nature  is  obtained  in  [6,  p. 
202,  Theorem  1]  regarding  converses  of  predicates. 

Theorem  3.10  Consider  f.g  G  T .  Let  /  be  disjunctive  and  g  be  conjunctive;  then  the 
following  are  equivalent: 

C-l.  g(P)  is  the  weakest  solution  of  Q  :  f(Q)  T  P  for  all  P  G  V . 

C-2.  (f(g(P))  X  P)  A  (P  ±  g(f(P)))  for  all  P  G  V 
C-3.  f(P)  1Q&P  A  g(Q)  for  all  P,Q  G  V. 

C-4.  f(P)  is  the  strongest  solution  of  Q  :  P  ■<  g(Q)  for  all  P  G  V . 

Proof:  Refer  to  Appendix  A.  □ 

The  weakest  solution  of  Q  :  f{Q)  P  depends  both  on  /  and  P.  Let  it  be  denoted  by 
/1(P).  Note  that  / ±  G  We  define  it  to  be  the  dual  of  /.  Formally, 

Definition  3.11  Let  /^C)  G  T  be  the  weakest  solution  of  Q  :  f(Q)  ^  (■),  where  /  £  J-  is 
disjunctive.  Then  f1-  is  called  the  dual  of  /. 

Lemma  3.12  If  /  is  disjunctive,  then  its  dual  /x  is  conjunctive. 
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Proof:  Consider  the  equation  Q  :  f{Q)  -<  Then  by  definition  fx{ Aa^a  P.\)  is  the 


weakest  solution  of  this  equation.  We  show  that  A.\£a(/X(P\))  is  also  the  weakest  solution: 
hence  from  the  uniqueness  of  the  solution  it  follows  that  fL  is  conjunctive.  First  we  show 


;/x(P\)  is  a  solution  of  Q  :  f(Q)  X  P\ 
;definition  of  conjunction 
k))  ; apply  /  on  2,  /  monotone  (Lemma  3.3) 

;from  1  and  3 

;by  taking  conjunct  wrt  A  in  4 
;from  5 

xt  we  show  that  Aa£a(/X(Pa))  is  the  weakest  solution  also.  Let  R  be  another  solution  of 
f{Q)  ^  AasaiPa)-  Then  we  need  to  show  that  R  X  /\AgA (/x(Pa))- 


that 

Aa€ 

A1 

/X 

(P\))  is  a  solution. 

1. 

VA 

G 

A 

/(/x(Pa))  ^  Pa 

2. 

VA 

G 

A 

A.\£a(/x(Pa))  A  /x 

(Pa) 

3. 

VA 

G 

A 

/(Aa£a(/X(Pa)))  =< 

/(/ 

4. 

VA 

G 

A 

/(Aa€a(/X(Pa)))  ^ 

P\ 

o 

6 

Ne: 

Q 

1 

2 

3 

4 


/(A.\€a(/'L(C\)))  S  A.\6A  P.\ 
Aa6a(/X(Pa))  is  a  solution 


/(P)  :<  Aa6a  Px 
VA  G  A  :  f(R)  A  Pa 

P  is  a  solution  of  Q  :  /(Q)  X  P,\ 

/_L(P\)  is  weakest  solution  of  Q  :  f(Q)  X  P\ 

P^/x(Pa) 

Aasa(/X(Pa)) 

Aa£a(/X(Pa))  is  the  weakest  solution 
This  proves  that  /x  is  conjunctive. 


VA  G  A 
VA  G  A 
VA  G  A 


;by  assumption 
:from  1 
-.from  2 

;by  definition  of  f1 
;from  3  and  4 

; taking  conjunct  wrt  A  in  5 
;from  5 


□ 


An  immediate  consequence  of  Theorem  3.10  and  Lemma  3.12  is  the  following  corollary: 


Corollary  3.13  Let  /  G  T  be  disjunctive.  Then  the  strongest  solution  of  the  equation 
Q-.PP  f^iQ)  exists  and  is  given  by  f{P). 


Proof:  From  Lemma  3.12  we  have  that  f1  is  conjunctive.  Since  P  as  a  constant  predicate 
transformer  is  monotone,  the  strongest  solution  of  Q  :  P  <  /X(Q)  exists  (Theorem  3.8). 
That  f(P)  is  the  strongest  solution  follows  by  substituting  fL  for  g  in  Theorem  3.10.  □ 


Remark  3.14  The  result  of  Corollary  3.13  justifies  the  term  dual  for  the  functions  /  and 
fL.  Note  that  C-l  is  used  to  define  the  dual  of  a  disjunctive  predicate  transformer.  Since  in 
Theorem  3.10  we  showed  the  equivalence  of  C-l  and  C-2  and  C-3  and  C-4,  any  one  of  them 
can  be  used  to  equivalently  define  the  dual  predicate  transformer. 


Next  we  prove  a  result  that  is  interesting  from  the  control  perspective. 

Theorem  3.15  wlp  and  sp  are  duals  of  each  other. 

Proof:  Note  that  sp  is  disjunctive  and  wlp  is  conjunctive;  hence  the  duality  is  well  defined 
in  this  context.  In  order  to  show  duality  we  need  to  show  that  wlp  and  sp  satisfy  any  of  the 
conditions  C-l  through  C-4  (refer  to  Theorem  3.10  and  Remark  3.14).  We  show  that  C-2 
holds. 

Firstly,  it  follows  from  the  definitions  of  sp  and  wlp  that  sp(wlp(P))  X  P  for  any  P  G  P. 
This  is  true  because  sp(wlp(P))  holds  only  in  those  states  of  Xp  which  have  at  least  one 
transition  leading  into  them.  Secondly,  it  again  follows  from  the  definitions  of  sp  and  wlp 
that  P  •<  wlp(sp(P))  for  any  P  G  V.  This  is  true  because  wlp(sp{P))  holds  in  those  states 
where  either  P  holds  or  which  have  no  transitions  leading  out  of  them.  Thus  both  the 
conjuncts  of  C-2  hold,  which  proves  the  duality  of  wlp  and  sp.  □ 
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4  Predicate  Transformers  and  Supervisory  Control 

In  the  previous  section  we  described  the  conditions  under  which  extremal  solutions  of 
various  boolean  equations  exist,  and  introduced  the  notion  of  duality  of  predicate  transfor¬ 
mers,  which  is  one  of  the  key  concepts  relating  the  extremal  solutions  of  the  above  boolean 
equations.  We  now  show  how  these  concepts  can  be  useful  in  synthesizing  static  supervisors 
[14,  15]  for  a  given  DEDS. 

Let  G  =f  (Vx,  27 ,  sp,  I)  be  a  plant  as  described  in  Definition  2.9.  Let  RdV  denote  the 
required  behavioral  constraint  on  G.  In  other  words,  the  control  task  is  to  design  a  static 
controller  S  :  X  — ►  2s  such  that  as  the  closed  loop  system  evolves,  it  visits  only  and  all  those 
states  where  R  holds.  Formally, 

Supervisory  Predicate  Control  Problem  (SPCP):  The  control  task  is  to  construct  a 
static  controller  S  :  X  — >  2s  for  the  plant  G  =f  (Vx,  27,  sp,  I)  such  that  spg(I)  =  R. 

The  SPCP  requires  that  the  state  trajectories  (in  the  controlled  system  Gs)  starting  from 
a  state  where  the  initial  predicate  I  holds,  remain  confined  to  the  set  of  states  where  the 
required  predicate  R  holds,  and  visit  all  the  states  where  R  holds.  A  special  case  of  this 
problem  was  first  treated  in  [22]  where  the  control  task  was  to  synthesize  a  static  supervisor 

5  such  that  sps(I)  A  R,  i.e.  the  states  visited  under  closed  loop  control  be  confined  to  R. 
Thus  R  in  [22]  represents  a  predicate  that  remains  invariant  under  control.  The  required 
predicate  R  considered  in  this  paper  represents  the  weakest  predicate  that  remains  invariant 
under  control  (i.e.  if  S  solves  SPCP,  then  no  other  predicate  weaker  than  R  is  invariant 
under  S ). 

It  is  clear  that  SPCP  is  solvable  only  if  the  set  of  initial  states  is  contained  in  the  set  of 
states  where  R  holds.  Hence  in  order  to  allow  nontrivial  solution  of  the  SPCP  we  assume 
that  the  above  condition  is  satisfied,  which  we  state  as  assumption  A-l  below: 

A-l.  I  A  R. 

Next  we  define  a  few  notions  that  play  a  central  role  in  supervisory  control  of  DEDS. 

Definition  4.1  R  is  said  to  be  invariant  if  sp(R)  ^  R.  R  is  said  to  be  S u-invariant  if 
spu(R)  ■<  R.  R  is  said  to  be  control-invariant  if  there  exists  a  static  controller  S  :  X  —*  2s 
such  that  sps(R)  -<  R. 

Thus  if  R  is  an  invariant  predicate  and  if  the  system  starts  from  a  state  where  R  holds, 
then  as  it  evolves  it  visits  only  those  states  where  R  holds.  If  R  is  Eu-invariant.  and  if 
the  system  starts  in  a  state  where  R,  holds,  then  under  the  execution  of  any  uncontrollable 
event  it  remains  in  a  state  where  R  holds.  If  R  is  control-invariant,  then  there  exists  a 
static  supervisor  S  such  that  R  is  invariant  in  the  controlled  system  Gs-  Note  that  all 
the  above  notions  are  defined  with  respect  to  the  plant  G,  for  they  depend  on  the  plant 
transition  function  sp.  It  also  follows  in  view  of  C-3  of  Theorem  3.10  that  R  being  invariant, 
Eu-invariant,  control-invariant  is  equivalent  to  R  A  wlp(R),  R  A  wlpu(R),  R  d:  wlps{R) 
respectively.  These  are  the  same  as  the  definitions  given  in  [22].  Hence  it  follows  in  view  of 
Proposition  7.1  of  [22]  that  R  is  control-invariant  if  and  only  if  R  is  Eu-invariant. 
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These  notions  of  invariance  introduced  in  [22]  are  useful  in  characterizing  those  sets  of 
states  which  are  closed  under  the  system  execution,  i.e.  if  the  system  starts  in  a  state  of 
an  invariant  set,  then  under  all  executions  the  state  of  the  system  remains  in  thac  invariant 
set.  However,  it  may  quite  be  possible  that  the  system  may  never  visit  some  states  in  that 
invariant  set.  Thus  the  notion  of  invariance  alone  is  not  enough  for  addressing  the  SPCP. 
The  notion  of  controllability  of  predicates  (a  notion  stronger  than  that  of  invariance)  was 
introduced  in  [19]  for  addressing  the  above  mentioned  problem.  We  present  an  equivalent 
but  slightly  different  definition  of  controllability  and  show  that  controllability  is  a  necessary 
and  sufficient  condition  for  a  solution  of  SPCP  to  exist.  In  our  opinion,  our  definition  is 
much  more  compact  and  uses  a  more  convenient  notation  that  results  in  simplicity  of  proofs 
and  supervisory  synthesis  techniques. 

Definition  4.2  Given  /  £  F  and  P  6  "P,  the  restriction  of  /  to  P,  denoted  /  |p,  is  the 
predicate  transformer  defined  as:  (/  |p)(Q)  =  f(P  A  Q)  A  P  for  each  Q  £  V. 

Next  we  prove  a  useful  property  of  the  restriction  operator.  We  say  f  £  IF  is  weakening 
if  P  T  f{P)  any  P  £  V . 

Lemma  4.3  Let  f  £  F  be  monotone  and  weakening,  and  P,Q  £  V  be  arbitrary.  Then 


/  l(/|,(fl))  (Q)  =  /  Ip  (Q)- 

Proof:  Let  R  =f  /  |p  (Q).  Then  we  need  to  show  that  /  |p  (Q)  =  R. 


1. 

R  =  f(P  AQ)  A  P 

definition  of  restriction 

2. 

/  U  (Q)  =  f(f(P  A  Q)  A  P  A  Q)  A  /(P  A  Q)  A  P 

definition  of  /  |(.)  and  1 

3. 

P  RQ  di  f{P  A  Q) 

;/  is  weakening 

4. 

P  AQ  P  f  (P  AQ)  AP  AQ 

;conjunct  with  P  A  Q  in  3 

5. 

/(paqh/(/(paQ)apaQ) 

;apply  /  in  4,  /  monotone 

6. 

fjn  (Q)  =  f(PAQ)AP 

;from  2  and  5 

7. 

f  Ifl  (Q)  =  R 

;from  6  and  definition  of  R 

This 

completes  the  proof. 

Thus  it  follows  from  Lemma  4.3  that  the  restriction  of  a  monotone  predicate  transformer, 
the  application  of  which  results  in  an  image  predicate  weaker  than  its  preimage  predicate, 
exhibits  a  nice  “invariance”  property.  For  example,  the  disjunctive  closure  of  any  predicate 
transformer  is  weakening  as  well  as  monotone  (Lemma  3.3  and  3.5),  and  thus  exhibits  such 
a  property. 

Definition  4.4  R  is  said  to  be  controllable  with  respect  to  G  if 

1.  spu(R)  ■<  R ,  and 

2-  R  =  ( sp  | *)*(/) 

Note  that  it  follows  from  the  definition  of  restriction  and  disjunctive  closure  that  the 
following  ordering  always  holds:  ( sp  |p)’t (I)  <  R.  Thus  the  second  condition  in  the  definition 
of  controllability  is  equivalent  to  R  ■<  (sp  j #)*(/).  We  use  either  of  these  equivalent  definitions 
of  controllability  interchangeably.  In  the  next  theorem  we  present  a  solution  to  the  SPCP. 
The  simplicity  of  the  proof  obtained  by  using  the  theory  of  predicate  transformers  and  a 
more  compact  definition  of  controllability  is  easily  seen. 
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Theorem  4.5  The  solution  to  SPC'P  exists  if  and  only  if  R  is  controllable  with  respect  to 

G. 


Proof:  First  assume  that  R  is  controllable;  we  show  that  there  exists  a  controller  S  :  X  — >  2s 
such  that  sp*s(I)  =  R.  Consider  the  controller  defined  as:  for  each  x  £  Xr.ct  £  S(. r)  <3- 
8(x,a)  £  Xr.  Since  R  is  Eu-invariant,  it  follows  that  the  events  disabled  by  5  are  all 
controllable  ( S  never  disables  any  uncontrollable  events).  Also,  note  that  the  strongest 
postcondition  predicate  transformer  spu  corresponds  to  the  maximally  restrictive  control 
law  -  the  control  law  that  disables  all  the  controllable  events  from  occurring. 


spu(R)  d  R 
Sp  |fl=  sps 

R  =  ( sp  \rY{I) 
R  =  sPs(I) 


;by  assumption  {R  is  controllable) 

;from  1,  definitions  of  5  and  sp  and  A-l 
;by  assumption  (R  is  controllable) 

;from  2  and  3 


1. 

2. 

3. 

4. 

Next  we  show  that  if  there  exists  a  controller  S  such  that  sp^(I)  —  R,  then  R  is  controllable. 

1. 

2. 

3. 

4. 

5. 

6. 

7. 

8-  isPs  iflH-0  d  (SP  \r)*(I) 

9. 

10. 


$PW)  =  R 

sp*s{I)  =  spl(R) 

SPUR)  =  R 
spl(R)  d  SPUR) 
spUR)  d  R 
sPu(R)  d  R 
( sps  I rY(I)  =  R 

( sps  | r)*(I)  d  {sp 

Rd{sP\Rni) 

R  is  controllable 


;by  assumption 
;apply  sp*s  on  1 
;from  1  and  2 

;spu  :  most  restrictive  control 

;from  3  and  4 

;from  5  and  Lemma  3.5 

;from  1  and  Lemma  4.3 

;S  restricts  behavior 

;from  7  and  8 

;from  6  and  9 


This  completes  the  proof  of  Theorem  4.5. 


□ 


Example  4.6  Consider  the  problem  of  mutual  exclusion  for  the  Readers- Writers  program  of 
Example  2.10.  The  mutual  exclusion  constraint  requires  that  the  number  of  writers  accessing 
the  database  should  never  be  more  than  one,  and  a  reader  can  access  the  database  only  when 
no  writer  is  accessing  it.  Thus  the  mutual  exclusion  constraint  can  be  written  as  the  following 
required  predicate:  R  =  ((mo  =  0)  V  ( nw  =  1  A  nr  =  0)).  Let  Eu  =  { end-rd ,  end-wt}.  Then 
it  is  easily  verified  that  R  is  controllable,  namely,  spu{R)  d  R  and  isP  \r)*[I)  —  R  as 
described  below.  First  consider  the  event  end-rd: 


nr  :=  nr  —  1  if  nr  >  0  :  end-rd 


Comparing  the  above  statement  with  the  standard  form: 

x  :=  F(x)  if  C(x)  :  a 

we  obtain  F(x)  —  x  —  1,  i.e.  F~1(x)  =  x  +  1;  and  C(x)  =  [x  >  0].  Thus 
SPend-rd(R(nr)) 

=  R{F~l(nr))  A  C(F~1(nr)) 

=  [( nw  —  0)  V  (nw  —  1  A  nr  +  1  =  0)]  A  [nr  +  1  >  0] 

=  [(mo  —  0)  A  (nr  +  1  >  0)]  V  [(nw  =  1)  A  (nr  +  1  =  0)  A  (nr  +  1  >  0)] 
=  [(nw  =  0)  A  true ]  V  false 
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=  ( nw  —  0) 

^  R- 

Next  consider  the  event  endjwt : 


nw  :=  nw  —  i  if  nw  >  0 


Thus  F(x )  =  x  —  1  and  C(x)  —  [x  >  0]  as  before.  Hence 

SPend.wt(R(nW)) 

=  R(F~1(nw))  A  C(F  l(nw )) 

=  {(nw  +  l.=  0)  V  (nw  +  1  =  1  A  nr  =  0)]  A  (nw  +  1  >  0] 

=  [nw  +  1  =  0  A  nw  +  1  >  0]  V  [nw  +  1  =  1  A  nr  =  0  A  nw  +  1  >  0] 

=  false  V  [nw  =  0  A  nr  =  0] 

=  [nw  =  0  A  nr  =  0] 

■<  R. 

Combining  the  results  of  the  above  two  derivations,  we  thus  obtain: 

sPu(R ) 

—  (nw  =  0)  V  (nw  =  0  A  nr  =  0)  =  (nw  =  0) 

1  R. 

Next,  in  order  to  verify  (sp  j  R)J'(I)  =  R ,  it  can  be  easily  shown  by  induction  on  n  £  Af 
that  (sp  | R)n(I)  =  (nw  =  0  A  nr  <  n)  V  (nw  =  1  A  nr  =  0).  Hence 

(5P  I 

=  Vn>o(nu;  =  0  A  nr  <  n)  V  (nio  =  1  A  nr  =  0) 

=  (nto  =  0  A  true )  V  (nw  =  1  A  nr  =  0) 

=  (nw  =  0)  V  (nw  =  1  A  nr  =  0) 

=  i?. 

It  then  follows  that  i?  is  controllable  and  hence  the  SPCP  is  solvable.  The  supervisor  S 
can  be  computed  as  follows.  For  each  controllable  event  a  £  (E  —  Eu)  of  the  type: 

x  :=  F(x)  if  C(x)  :  cr, 

the  predicate  on  which  the  event  a  is  disable  by  5  is  computed  as 

C(x)  A  R(x)  A  wlpa(-'R(x)). 

This  is  the  weakest  predicate  stronger  than  i?,  where  cr  is  enabled  (C(x)  holds),  and  from 
which  a  state  in  X-^r  (states  where  R  does  not  hold)  is  reachable  by  a  single  execution  of  a. 
First  consider  the  event  st^rd;  then  S  disables  stjrd  on  the  predicate: 
true  A  [(nw  =  0)  V  (nw  =  1  A  nr  =  0)]  A  [wlpst_rd([nw  >  1]  V  [nw  =  1  A  nr  >  0])] 

=  [(nw  =  0)  V  (nw  =  1  A  nr  —  0)]  A  [(nw  >  1)  V  (nw  =  1  A  nr  +  1  >  0)] 

•=  [(nw  =  0)  V  (nw  =  1  A  nr  =  0)]  A  (nw  >  1) 

=  (nw  =  1  A  nr  =  0). 

Thus  S  disables  st-rd  on  [nw  =  1  A  nr  —  0]. 

The  predicate  where  S  disables  the  other  controllable  event  st-wt  can  be  computed  as: 
true  A  [(nw  =  0)  V  (nw  =  1  A  nr  =  0)]  A  [wlpst_wr((nw  >  1)  V  (nw  =  1  A  nr  >  0))] 

=  [(nw  =  0)  V  (nw  =  1  A  nr  =  0)]  A  [(nw  +  1  >  1)  V  (nw  -f  1  =  1  A  nr  >  0)] 

=  [(nw  =  0)  V  (nw  =  1  A  nr  =  0)]  A  [(nw  >  0)  V  (mo  =  0  A  nr  >  0)] 
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=  [nw  —  0  A  nw  >  0]  V  [nw  =  0  A  (nw  =  0  A  nr  >  0)]  V  [(m»  =  1  A  nr  =  0)  A  nw  >  0]  V  [(nw  - 
1  A  nr  =  0)  A  (nw  =  0  A  nr  >  0)] 

=  false  V  (nw  =  0  A  nr  >  0)  V  (nw  —  1  A  nr  =  0)  V  (nw  =  1  A  nr  -  0) 

=  (nw  =  0  A  nr  >  0)  V  (nw  =  1  A  nr  =  0). 

Thus  S  disables  stxwt  in  (nw  =  0  A  nr  >  0)  V  (nw  =  1  A  nr  =  0). 

Thus  it  is  clear  that  at  states  where  (nw  —  1  A  nr  =  0)  holds  both  the  controllable  events 
are  disabled  by  5,  and  at  states  where  (nw  =  0  A  nr  >  0)  holds  only  st-wr  is  disabled. 
Thus  S  :  X  —r  2s  is  given  by:  (x  is  used  to  denote  an  arbitrary  element  of  X  —  .V2,  i.e. 
x  —  (nr,  nw)): 


S(x)  =  l 


E(x)  —  {st-wt,  st-rd} 
E(x)  —  {st-wt} 


if  (nw  —  1  A  nr  =  0) 
if  (nw  =  0  A  nr  >  0) 
otherwise 


where  S(x)  =  {a  £  S  |  8(x,a)  is  defined}. 


Remark  4.7  This  example  illustrates  that  techniques  based  on  predicates  and  predicate 
transformers  .  .n  be  used  for  solving  the  supervisory  control  problem  in  an  infinite  state 
space  setting.  The  computational  complexity  of  computing  the  supervisor  is  linear  in  the 
number  of  variables  used  and  the  number  of  conditional  assignment  statements  in  the  pro¬ 
gram  description  of  the  plant,  and  does  not  depend  on  the  actual  number  of  states  and 
transitions  in  the  system  which  may  be  very  large,  possibly  infinite. 

Another  advantage  of  using  the  theory  based  on  predicate  transformers  is  that  it  provides 
an  automated  technique  for  synthesizing  supervisors  as  illustrated  by  the  above  example. 


4.1  Minimally  Restrictive  Supervisors  for  Predicate  Control 

It  follows  from  Theorem  4.5  that  if  the  required  predicate  R  is  controllable,  i.e.  satisfies 
the  Eu-invariance  and  the  reachability  constraint  R  A  (sp  \r)*{I),  then  the  following  control 
law  can  be  used  for  solving  the  SPCP:  for  each  x  €  Xr,  a  €  S(x)  8(x,cr)  £  Xr.  In 
this  subsection,  we  address  the  problem  supervisory  synthesis  when  the  required  predicate 
R  is  not  controllable.  This  problem  was  not  addressed  in  [19] .  If  the  required  predicate  R 
is  not  controllable,  then  a  supervisor  cannot  be  constructed  which  solves  the  SPCP.  In  the 
next  Theorem  we  prove  that  in  such  a  situation,  the  minimally  restrictive  supervisor  can  be 
constructed. 

Theorem  4.8  The  weakest  controllable  predicate  stronger  than  a  given  predicate  exists 
(and  is  unique). 

Proof:  Let  R  £  V  be  the  required  predicate.  Assume  that  R  is  not  controllable;  then  at 
least  one  of  the  following  two  conditions  is  not  satisfied: 

1.  spu(R)  A  R 

2.  R  X  (sp  !*)*(/) 

We  show  that  the  weakest  solution  to  the  following  set  of  equations  exists: 
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E-l.  Q  :  spu(Q)  r<  Q 


E-2.  Q:QMsp\q)*(I) 

E-3.  Q  ■■  Q  z<  R 

Equations  E-l  and  E-2  correspond  to  conditions  1  and  2  respectively.  Equation  E-3  requires 
that  the  weakest  solution  be  stronger  than  R.  Consider  the  first  equation;  since  spu  is 
disjunctive  and  Q  as  an  identity  function  is  monotone,  it  follows  from  Theorem  3.8  that  the 
weakest  solution  of  it  exists.  Similarly  consider  the  second  equation;  since  Q  as  an  identity 
function  is  disjunctive  and  (sp  Iq)7^/)  as  a  function  of  Q  is  monotone,  it  follows  that  the 
second  equation  also  has  a  weakest  solution.  Also,  since  R  as  a  constant  function  is  monotone 
and  Q  as  an  identity  function  is  disjunctive,  the  third  equation  possess  a  weakest  solution  as 
well.  Since  the  weakest  solutions  of  all  the  equations  E-l  through  E-3  exist,  it  follows  that 
the  weakest  solution  of  the  above  set  of  equation  exists  and  by  its  definition  it  is  unique. 
More  formally,  let  A  be  an  indexing  set  such  that  for  each  A  €  A,  Q\  satisfies  the  above  set 
of  equations.  Then  as  explained  above  Va<=a  Qx  satisfies  all  the  equations  E-l  through  E-3 
individually.  Thus  Vasa  Q a  is  the  weakest  solution  of  the  above  set  of  equations.  □ 

We  will  use  Afi  ■<  R  to  denote  the  weakest  solution  of  the  above  set  of  equations,  then 
PT  denotes  the  weakest  controllable  predicate  stronger  than  R.  If  PT  also  satisfies  A-l,  i.e.  if 
I  Z i  R^ ,  then  since  R r  is  controllable,  it  follows  from  Theorem  4.5  that  there  exists  a  static 
control  law  S  such  that  sp*s(I)  =  itfi.  A  supervisor  exercising  such  a  control  law  is  called 
the  minimally  restrictive  supervisor.  However,  may  not  satisfy  A-l,  i.e.  it  is  possible  that 
I  £  R\  in  which  case  the  minimally  restrictive  supervisor  does  not  exist. 

4.2  Computation  of  B) 

In  Theorem  4.8  we  proved  the  existence  of  the  weakest  controllable  predicate  PT,  which 
is  the  weakest  solution  of  equations  E-l,  E-2  and  E-3,  stronger  than  R.  Now  we  present  a 
method  for  computing  it.  We  proceed  by  first  proving  a  few  lemmas. 

First  we  note  that  the  weakest  solution  of  E-2  stronger  than  any  predicate  P  €  V  exists. 
This  follows  easily  from  1  and  2  below: 

1.  E-2  has  a  weakest  solution  (follows  from  Theorem  4.8),  and 

2.  Equation  Q  :  Q  <  P  has  a  weakest  solution,  for  Q  as  an  identity  predicate  transformer 
is  monotone  and  P  as  a  constant  predicate  transformer  is  disjunctive. 

Lemma  4.9  If  P  <E  V  is  a  solution  of  E-l  and  E-3  and  P'  is  the  weakest  solution  of  E-2 
stronger  than  P,  then  P'  is  also  a  solution  of  E-l  and  E-3. 

Proof:  We  first  show  that  P'  is  a  solution  of  E-3. 

1.  P'  z<  P  ;bv  assumption 

2.  P  X  R  ;P  is  a  solution  of  E-3 

3.  P'  zZi  R  ;from  1  and  2 

4.  P'  is  a  solution  of  E-3  ;from  3 

Next  we  show  that  P'  is  also  a  solution  of  E-l. 
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1. 

SPu{P)  ^  P 

;P  is  a  solution  of  E-l 

2. 

P'  RP 

;by  assumption 

3. 

SPu{P')  ^  SPu{P) 

;apply  spu  on  2,  spu  monotone 

4. 

spu(P')  T  P 

;from  1  and  3 

5. 

sPu(P ■')  yP'^P 

;from  2  and  4 

6. 

P1  ^  (sp  \ P')*{I) 

;P'  is  a  solution  of  E-2 

7. 

P'  T  {sp  \spu(P')\/P')*(I) 

;by  weakening  the  RHS  of  6 

8. 

SPu{P')  -  (SP  |spu(P')VP' )*( -^ ) 

;from  6  and  definition  of  sp  |(.) 

9. 

SPu(P')  V  P‘  -<  ( Sp  1  spu(P')VP')*{I) 

Taking  disjunct  of  7  and  8 

10. 

spu(P')  V  P'  is  a  solution  of  E-2  stronger  than  P 

;from  9  and  5 

11. 

3Pu(P')VP'  IP' 

;from  10  and  definition  of  P' 

12. 

SPu(P')  =<  P' 

simplifying  11 

13. 

P'  is  a  solution  of  E-l 

;from  12 

This  completes  the  proof. 

Thus  the  weakest  solution  of  E-2  stronger  than  any 

solution  of  E-l  and  E-3  is  also 

solution  of  E-l  and  E-3  and  hence  a  solution  of  the  all  the  three  equations. 

Lemma  4.10  Let  P  be  the  weakest  solution  of  E-l  and  E-3  and  P'  be  the  weakest  solution 
of  E-2  stronger  than  P.  Then  P'  is  the  weakest  solution  of  E-l  through  E-3. 

Proof:  It  follows  from  Lemma  4.9  that  P'  is  a  solution  of  E-l  through  E-3.  We  need  to 
show  that  it  is  the  weakest  solution  also,  i.e.  P1  = 


1. 

P'  ^P 

;by  assumption 

2. 

P'  <  P] 

\P'  a  solution  of  E-l,  E-2,  E-3 

and  R}  weakest  solution  of  E-l,  E-2,  E-3 

3. 

Rl  RP 

\R I  weakest  solution  of  E-l,  E-2,  E-3 
and  P  weakest  solution  of  E-l,  E-3 

4. 

f?T  P  P' 

weakest  solution  of  E-l,  E-2,  E-3  stronger  than  P  (from  3) 
and  P'  weakest  solution  of  E-2  stronger  than  P  (from  1) 

5. 

i?T  -  P' 

;from  2  and  4 

Thus 

i  the  proof 

is  completed. 

It  follows  from  Lemma  4.10  that  one  way  to  compute  /?’  is  by  computing  the  weakest 
solution  of  E-2  stronger  than  the  weakest  solution  of  E-l  and  E-3. 


Theorem  4.11  The  weakest  solution  of  E-l  and  E-3  is  (wlPll)*(R)- 


/\n>0  wlpu(R)-  We  first  show  that  ( wl,pu)*(R ) 


Proof:  Note  that  by  definition,  (wlpu)*{R) 
is  a  solution  of  E-l. 

T  An>o  wlpu(R )  X  A„>r  wlpu{R ) 

2.  {wlpJUR)  ^  wlpu(/\n>0ivlpu(R)) 

3.  {wlpJ^R)  ■<  wlp^wlpJ^R)) 

4.  spu((wlpu)*(R))  X  (wlpu)*(R) 

5.  (ie/pu)*(/?)  is  a  solution  of  E-l 
Next  we  show  that  (wlpu)*(R)  is  a  solution  ol  E-3. 

T  ^>owlpu{R)  ^  An=0  wlpu(R)  Trivially 

2.  (iy/pu)*(/?)  R  R  rewriting  LHS  and  simplifying  RHS  of  1 

3.  (ie/pu)*(f?)  is  a  solution  of  E-3  ;from  2 


Trivially 

;rewriting  LHS  and  RHS  of  1 
Rewriting  RHS  of  2 
;from  3  and  C-3 
;from  4 
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Next  we  prove  that  (wlpu)*(R)  is  the  weakest  solution  of  E-l  and  E-3.  Assume  P  is  also  a 
solution  of  E-l  and  E-3. 


spu{P)  A  P 

P  X  wlpu(P ) 

p  x  (wipMP) 

P  <R 

(wlPuUP)  ^  {™lPu)*(R) 

P  2<  {wl'Pu)*(R) 

(wlpu)i,(R)  is  the  weakest  solution 


\P  is  a  solution  of  E-l 

;from  1  and  C-3 

;from  2  and  Lemma  3.5 

\P  is  a  solution  of  E-3 

;apply  (tn/p^)*  on  4,  (u;/pu)*  monotone 

;from  3  and  5 

;from  6 


1. 

2. 

3. 

4. 

5. 

6. 

7. 

This  completes  the  proof  of  Theorem  4.11.  □ 

Thus  it  follows  from  Theorem  4.11  that  the  weakest  Eu-invariant  predicate  stronger  than 
R  (i.e.  the  weakest  solution  of  E-l  and  E-3)  is  given  by  (wlpu)+(R).  Finally  we  have  the 
following  Theorem  for  computing  RK  This  is  one  of  the  main  results  of  this  paper. 

Theorem  4.12  RT  =  (sp  | (wiPuMR))*(I)- 

Proof:  Let  Q  =f  (sp  In  view  °f  Lemma  4.10  it  suffices  to  show  that  Q  is 

the  weakest  solution  of  E-2  stronger  than  the  weakest  solution  of  E-l  and  E-3.  Since  the 
weakest  solution  of  E-l  and  E-3  is  (tc/pu)*(i?)  (Theorem  4.11),  we  need  to  show  that  Q  is 
the  weakest  solution  of  E-2  stronger  than  (u ;/pu)*(i?),  i.e.  satisfies  Q  A  (wlp^^R).  First  we 
show  that  Q  is  a  solution  of  E-2  and  Q  A  (wlpu)*(R). 

1. 

2. 

3. 

4. 

5. 


( SP  \(wipuMR))*{I)  d  (wlpJ*(R) 
Q  d  (wlpu)*(R) 

Q  =  I qW) 

Q  1  (sp  I Q)*(l) 

Q  is  a  solution  of  E-2 


;by  definition  of  restriction 
;from  1  and  definition  of  Q 
;from  Lemma  4.3 
;from  3 
;from  4 

Next  we  show  that  Q  is  the  weakest  solution  of  E-2  stronger  than  (io/pu)*(Z?).  Let  P  be 
another  solution  of  E-2  stronger  than  ( wlpu)+(R ).  Since  we  have  already  shown  above  that 
Q  is  stronger  than  (ro/pu)x(/2),  it  suffices  to  show  that  P  <  Q. 

1.  P  ■<  (wlpu)i,(R)  ;by  assumption  (P  stronger  than  (wlpu)*(R)) 

2.  P  ■<  (sp  |p)*(/)  ;by  assumption  (P  solution  of  E-2) 

3.  P  <  (sp  j (wipj^R))* (I)  ;by  weakening  RHS  of  2  using  1 

4.  P  di  Q  ;from  3  and  definition  of  Q 

Hence  the  proof  is  completed.  □ 


Remark  4.13  The  set  of  states  X RT  corresponding  to  the  weakest  controllable  predicate 
stronger  than  R  can  be  easily  computed  in  two  steps: 

1.  Compute  Ru  =f  (wlpu)„(R) 

2.  Compute  (sp  \ru)*(I) 

The  first  step  corresponds  to  the  computation  of  the  supremal  Eu-invariant  subset  of  XR. 
This  we  denote  by  XRu.  The  second  step  consists  of  computing  the  set  of  states  reachable 
from  the  initial  state  set  Xi  in  the  state  space  restricted  to  XRu.  If  G  is  represented  as  a 
finite  state  machine,  then  the  set  XRu  as  well  as  the  states  reachable  from  Xj  in  the  state 
space  restricted  to  XRu  can  be  computed  (in  the  worst  case)  in  time  linear  in  the  number  of 
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transitions  present  in  G  (refer  to  [11,  13]  for  more  elaborate  discussions  on  computationally 
optimal  algorithmic  techniques  for  similar  computations).  If  G  has  infinite  states,  then 
the  computation  of  R)  based  on  the  state  machine  approach  as  described  above  will  not 
terminate,  as  it  involves  the  computation  of  the  operator  -  disjunctive  and  conjunctive 
closure.  However,  computation  based  on  predicates  and  predicate  transformers  can  be  used 
to  automatically  construct  the  minimally  restrictive  supervisor  in  an  infinite  state  space 
setting  using  efficient  techniques  such  as  those  reported  in  [7].  Further  research  on  this  issue 
is  currently  under  investigation. 

Example  4.14  Consider  the  following  refinement  of  the  Readers- Writers  program 'of  Exam¬ 
ple  2.10.  We  use  variables  ar,  aw  to  denote  the  number  of  active  readers,  writers,  respectively, 
and  the  variables  wr,  ww  to  denote  the  number  of  waiting  readers,  writers,  respectively. 
The  event  set  consists  of:  £  =  {stjrd,st-wt,endjrd,  end-wt, reqjrd, req.wt, ovflo).  Infor¬ 
mally  described,  readers  and  writers  are  first  buffered  in  separate  queues  of  finite  capacity, 
and  whenever  reqjrd  or  req.wt  occurs,  the  size  of  the  corresponding  queue  increases.  The 
number  of  active  readers/ writers  is  increased  (decreased)  according  to  the  occurrence  of 
st.rd/st.wt(end.rd/end.wt).  If  the  number  of  waiting  readers  is  more  than  a  positive  num¬ 
ber  5,  then  the  number  of  active  readers  increases  by  one  whenever  the  event  ovflo  occurs. 
Formally, 


Program 

Rd-Wr  1 

declare 

wr,  ww,  ar,  aw 

:  integer 

st-rd,  st.wt,  ovflo , 
end-rd,  end-wt , 
reqjrd,  req.wt 

:  event 

initially 

wr,  ww,  ar,  aw 

=  0,0, 0,0 

assign 

wr,  ar 

:=  wr  +  1,  ar 

:  reqjrd 

wr  —  1 ,  ar  +  1 

if  wr  >  0 

:  st-rd 

wr,  ar  +  I 

if  wr  >  B 

:  ovflo 

wr,  ar  —  1 

if  ar  >  0 

:  endwd 

ww,  aw 

:=  ww  +  1 ,  aw 

:  req.wt 

ww  —  1 ,  aw  +  1 

if  ww  >  0 

:  stjwt 

ww,  aw  —  1 

if  aw  >  0 

\  end-wt 

end 

{Rd.Wr  1} 

Let  the  uncontrollable  event  set  be  given  by  E„  =  {ovflo}.  As  in  Example  4.6,  the  mu¬ 
tual  exclusion  constraint  for  the  above  program  is  given  as  the  required  predicate  R  —  (aw  — 
0)  V  (aw  —  1  A  ar  =  0).  It  can  be  readily  verified  that  R  is  not  a  controllable  predicate,  for 
spu(R )  -f.  R.  In  order  to  show  that  R  is  not  controllable  consider  the  uncontrollable  event 
ovflo.  Note  that  F(ar)  =  ar  4-  1  and  C(wr)  =  (wr  >  B )  for  the  event  ovflo.  Then 
SPovflo(R(ariaW )) 

-  (aw  —  0  V  (aw  =  1  A  ar  —  1  =  0))  A  (wr  >  B ) 

=  (aw  =  0  V  (aw  =  1  A  ar  =  1 ))  A  (wr  >  B) 

*R- 

In  order  to  compute  R\  we  first  compute  ( wlpovjlo)+(R )  =  Rn>o(w^Povfio)n  (R)  ■  We  need 
to  compute  ( wlpovjlo)n(R )  for  each  n  E  A".  First  we  compute  wlpovjlo(R ): 
wlPovJlo(R ) 
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=  wlPar:=ar  + 1  if  wr>B((aW  =  0)  V  (aw  =  1  A  flf  =  0)) 

=  [((aio  =  0)  V  (aw  —  1  A  ar  +  1  =  0))  A  ( wr  >  B)}  V  [wr  <  B] 

=  {(aw  =  0)  A  (wr  >  B )]  V  [wr  <  B ] 

=  [(au>  =  0)  V  (wr  <  B)\  A  [(wr  >  B)  V  (wr  <  5)] 

=  [(aiw  =  0)  V  (wr  <  B) ] 

Similarly  we  compute  ( wlpovflo)2(R ): 

(wlPovSlof(R) 

=  wlpovjlo(aw  =  0  V  wr  <  B) 

=  [(aw  =  0  V  wr  <  B)  /\  (wr  >  B)]  V  [tor  <  5] 

=  (ate  =  0  V  tor  <  5) 

=  wlPovflo(R) 

Hence  (wlpovflo)n(R)  =  wlpovflo(R )  for  each  n  >  1.  Thus 
( wlPovflo)*(R ) 

=  i?  A  wlpovflo(R) 

—  [(aw  —  0)  V  (au>  =  1  A  ar  =  0)]  A  [(au>  =  0)  V  (wr  <  B)} 

=  [(att»  =  0)  A  (aro  =  0)]  V  [(aw  -  0)  A  (wr  <  B)]  V  [(ato  =  1  A  ar  =  0)  A  (aw  =  0)]  V  [(aw  = 

1  A  ar  =  0)  A  (wr  <  B )] 

=  (aw  =  0)  V  (aw  =  0  A  wr  <  B)  V  /a/se  V  (aw  =  1  A  ar  =  0  A  wr  <  B) 

=  (aw  =  0)  V  (aro  =  1  A  ar  =  0  A  wr  <  B) 

Thus  Ru  —  ( wlpu)i'(R )  =  (aw  =  0)  V  (aw  =  1  A  ar  =  0  A  wr  <  B).  In  order  to  compute 
R\  we  need  to  compute  (sp  \ ru)*(I).  This  can  be  easily  shown  to  equal  Ru.  Thus 

/?r  =  (aw  =  0)  V  (aw  =  1  A  ar  =  0  A  wr  <  B). 

Using  the  technique  described  in  Example  4.6,  the  predicate  on  which  the  minimally  restric¬ 
tive  supervisor  disables  a  given  controllable  event  can  be  computed.  Essentially,  if  a  e  E  — £u 
is  a  controllable  event  of  the  type: 


x  :=  F(x)  if  C(x)  :  cr, 

then  a  is  disabled  by  S  in  the  predicate  C(x)  A  R](x)  A  wlp^R* (x))  =  C(x)  A  R](x)  A 
~'Rt(F(x).  The  following  minimally  restrictive  control  S  :  X  2s  can  be  used  for  achieving 
the  mutual  exclusion  constraint  (we  use  x  to  denote  an  arbitrary  element  of  X  =  J\f4: 


S(s)  —  {st-wt,stjrd,req-rd} 
E(x)  —  {st-wt,  strrd} 

E(x)  —  {sf_inf} 

S(x) 


if  (aw  =  1  A  ar  —  0  A  wr  =  B  —  1) 
if  (aw  =  1  A  ar  =  0  A  wr  <  B  —  1) 
if  (aw  =  0  A  ar  >  0) 
otherwise 


5  Observability  of  Predicates 

So  far  we  have  considered  the  supervisory  predicate  control  problem  assuming  that  com¬ 
plete  information  about  the  system  states  is  available.  Next  we  generalize  the  theory  of 
supervisory  predicate  control  developed  above  to  the  case  where  the  system  states  are  not 
necessarily  completely  observed.  In  order  to  formulate  the  problem  of  supervisory  predicate 
control  under  partial  state  observation,  consider  a  mask  Af,  which  is  a  map  from  the  system 
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state  space  X  to  the  observation  space  Y,  i.e.  M  :  X  — >  Y.  Note  that  the  mask  M  is 
not  necessarily  injective,  and  it  is  possible  that  two  different  states  may  yield  an  identical 
observation  under  the  mask  M. 

The  supervisory  predicate  control  problem  under  partial  observation  was  first  studied 
in  [19].  However,  the  conditions  of  observability  of  a  predicate  were  obtained  under  very 
restrictive  assumptions  on  the  mask  M.  It  was  assumed  in  [19]  that  given  any  pair  of  states 
X\,  X2  €  X  and  any  event  er  £  S  such  that  6(2*1,  <7),  6(2:2,  cr)  are  both  defined,  the  mask  M 
is  such  that  M(x\)  =  M(xY)  <=>  M(8(xi,cr))  =  M(8(x 2, cr))-  Note  that  this  assumption  may 
be  violated  even  when  the  mask  M  equals  the  identity  function,  which  corresponds  to  the 
case  of  complete  observation.  Thus  the  observability  theory  developed  in  [19]  is  applicable 
only  to  a  very  small  class  of  systems.  We  extend  the  condition  of  observability  of  predicates 
without  assuming  any  restriction  on  the  mask  M. 

Supervisory  Predicate  Control  and  Observation  Problem  (SPCOP):  Consider  the 
plant  G  =f  (Vx,  E,sp,I)  and  the  observation  mask  M  :  X  —*  Y .  Let  R  6  Vx  denote  the 
required  predicate.  The  control  task  is  to  obtain  a  dynamic  control  law  D  :  Y*  x  (2s)*  — *■  2s 
such  that  (spD)*(I)  =  R. 

The  notation  Y*,  (2s)*  is  used  to  denote  the  set  of  finite  sequences  of  observations  in  Y, 
the  set  of  finite  sequences  of  control  actions,  respectively.  The  supervisor  uses  all  the  in¬ 
formation  available  corresponding  to  the  entire  past  to  determine  the  current  control  action 
(the  set  of  events  to  be  enabled).  Thus  the  supervisor  is  dynamic.  The  supervisor  conside¬ 
red  for  the  SPCOP  in  [19]  is  static  (current  control  actions  are  determined  by  the  current 
observation  only)  and  can  be  obtained  as  a  special  case  of  the  supervisor  considered  in  this 
section. 

We  propose  the  following  algorithm  for  dynamically  estimating  the  current  state  of  the 
system  using  the  information  available  from  the  entire  past.  The  notation  y k  €  Y  for  each 
k  £  N  is  used  to  denote  the  observation  at  the  kth  step. 

Algorithm  5.1 

Initiation  step:  P0  =  truex 

Recursion  step:  Pk+ 1  =  sp(Pk)  A  M~1(yic+ 1);  k  >  0 

where  M~1(yk+ 1)  corresponds  to  the  predicate  which  holds  in  those  states  which  have  the 
same  mask  value  yk+i,  and  P k  for  each  k  >  0  denotes  the  predicate  corresponding  to  the 
state  estimate  at  the  &:th  step. 

Thus  initially  when  no  observation  is  made  the  set  of  states  corresponding  to  the  initial 
state  estimate  equals  the  entire  state  space;  hence  P0  is  set  equal  to  truex •  The  set  of  states 
corresponding  to  the  state  estimate  at  the  (k  +  l)th  step,  where  the  predicate  Pk+i  holds, 
equals  the  set  of  states  that  correspond  to  the  observation  ijk+\  and  are  reachable  from  a 
state  where  Pk  holds.  Algorithm  5.1  can  be  used  to  define  the  following  dynamic  observer 
for  the  system  G. 

Definition  5.2  Consider  the  plant  G  =f  {Vx,  X,  sp,  I)  and  the  mask  M  :  X  — ■»  Y .  The 
dynamic  observer  for  estimating  the  current  state  of  G  is  a  DEDS  0  =f  (Vx ,Y,  spQ,  truex), 
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where  Vx  corresponds  to  the  state  set  of  the  observer  0 ;  Y  corresponds  to  the  event  set 
of  0]  truex  corresponds  to  the  initial  condition  of  0;  and  spQ,  the  strongest  postcondition 
predicate  transformer  of  0,  is  defined  to  be  (sp0)y(P)  =  sp(P)  A  M~1(y)  for  each  P  £  Vx 
and  y  £  Y. 

A  similar  definition  of  dynamic  observer  is  presented  in  [3],  which  uses  the  past  sequence 
of  observations  as  well  as  the  past  sequence  of  control  inputs  for  estimating  the  current  state. 

5.1  Static  and  Dynamic  Control  Laws 

An  algorithm  similar  to  Algorithm  5. 1  can  be  used  to  simultaneously  observe  the  evolution 
of  the  plant  and  control  its  behavior.  Since  the  goal  of  the  SPCOP  is  to  obtain  a  dynamic 
control  law  D  :  Y*  x  (2s)*  — >  2“  such  that  the  required  predicate  R  remains  invariant  under 
fhe  evolution  of  the  controlled  system,  we  assume  that  the  system  never  starts  in  a  state 
where  R  does  not  hold.  This  is  stated  as  assumption  A-l  in  the  previous  section.  Keeping 
assumption  A-l  in  mind,  a  dynamic  control  law  D°  is  obtained  in  the  manner  described 
below.  The  notations  yk,P k  are  used  to  denote  the  observation  at  the  kth  step,  and  the 
predicate  corresponding  to  the  state  estimate  at  the  kth  step  under  the  control  law  D° 
respectively.  The  control  action  at  the  £;th  step,  k  >  1,  depends  on  the  observation  sequence 
up  to  the  fcth  step  and  the  control  sequence  up  to  the  ( k  —  l)th  step;  using  this  available 
information  at  the  &th  step,  first  the  predicate  Pf?  corresponding  to  the  state  estimate  at 
the  A:th  step  is  obtained  and  then  an  identical  control  action  is  defined  for  each  of  the  states 
in  the  set  Xpd°  .  Thus  a  dynamic  controller  D°  :Y*  x  (2s)*  — >  2s  can  equivalently  be  viewed 
as  a  map  D°  :  Vx  —>  2s. 

Algorithm  5.3 

Initiation  step:  P =  M~x(yi)  A  I 
cj£  £>0(/f°)  &sP(,{P°a)  Y  R 

Recursion  step:  P^  =  sps(P^°)  A  M~l(yk+l) 

*  e  P°(PkD+\)  *  sPAPgi)  lR;k>  i 

where  a  £  D°(P)  for  any  a  £  S  and  P  £  V  means  that  a  is  enabled  by  the  control  law  D° 
in  every  state  in  the  set  Xp. 

Since  the  system  is  assumed  to  start  in  /  -<  R  (Assumption  A-l),  the  initial  state  estimate 
after  the  first  observation  yi  £  Y  is  given  by  the  predicate  M~x{yx )  A  I.  For  every  state 
x  £  Xpd o,  a  transition  a  £  E  is  enabled  by  the  control  law  if  and  only  if  the  states  reached 
by  executing  a  in  Xpd°  are  all  contained  in  Xp.  The  predicate  Pj^i  corresponding  to  the 
state  estimate  at  the  (k  +  l)th  step  is  obtained  by  determining  the  states  that  correspond  to 
the  (k+  l)th  observation  yk+ 1 ,  and  that  are  reachable  in  G  under  the  control  law  D°  from  the 
states  where  Pj?  holds.  Since  all  the  states  in  the  set  Xpd°  (at  step  (k  +  1))  correspond  to 
the  same  past  observation  and  control  sequence  up  to  step  (k  + 1),  the  same  control  action  is 
applied  at  all  of  them;  and  the  controller  enables  an  event  a  £  S  at  all  the  states  x  £  XpD° 
if  and  only  if  the  states  reached  by  executing  cr  in  the  states  Xpd°  are  all  contained  in  Xr. 
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Remark  5.4  It  is  clear  that  if  the  mask  M  is  the  identity  map  (or  is  injective),  then  the 
dynamic  control  law  D°  defined  in  Algorithm  5.3  is  the  same  as  the  static  control  law  S 
defined  in  section  4.  In  other  words,  if  complete  state  observation  is  possible,  then  static 
and  dynamic  control  laws  are  identical.  This,  as  we  will  see,  is  not  the  case  when  incomplete 
state  observations  are  made. 

Lemma  5.5  Consider  the  plant  G  and  the  mask  M.  Let  G  be  controlled  by  the  dynamic 
control  law  D°  described  in  Algorithm  5.3.  Then  Vyt>i  Pj? °  —  P- 

Proof:  The  controller  D°  is  defined  recursively  in  Algorithm  5.3.  We  use  induction  on  k  for 
obtaining  the  desired  result. 

1.  I  X  R  ;Assumption  A-l 

2.  P®  X  I  initiation  step  of  Algorithm  5.3 

3.  Pf0  X  R  ;from  1  and  2  (base  case) 

4.  P®°  d:  R  induction  hypothesis 

5.  C/t+i  R  Recursion  step  of  Algorithm  5.3  and  3 

6.  \/k  >  X  R  ;from  3,  4,  5  and  induction 

7.  Vfc>i  Pk°  —  R  staking  disjunct  wrt  A:  in  6 

This  completes  the  proof.  □ 

Thus  under  the  dynamic  control  law  described  in  Algorithm  5.3,  the  state  trajectories 
of  the  system  remain  confined  to  the  states  where  R  holds.  In  fact,  it  follows  from  Lemma 
5.5  that  V*>i  Pk  the  weakest  predicate  stronger  than  R  to  which  the  state  trajectories 
of  the  partially  observed  controlled  system  G  are  confined.  The  property,  that  this  weakest 
predicate  stronger  than  R  equals  R ,  is  termed  observability  of  R. 

Definition  5.6  The  required  predicate  R  of  the  partially  observed  system  G  under  the 
mask  M  is  said  to  be  observable  if  and  only  if  Vfc>i  —  Ri  where  P®°  for  each  k  >  1  is 
recursively  defined  in  Algorithm  5.3. 

Algorithm  5.3  can  be  specialized  to  define  a  static  control  law  S  :  Y  — >  2s  in  which  the 
control  action  at  any  step  depends  only  on  the  observation  at  that  step: 

Algorithm  5.7 

Initiation  step:  Pf  =  A  / 

a  <E  A  I)  spa(M~l(yi)  A  I)  ^  R 

Recursion  step:  Pfcs+1  =  sps{P f)  A  M~l{yk+1) 

a  G  S(M~l(yk+i))  sp(r{M~1{yk+i))  r<  R’,  k  >  1 

Note  that  the  control  law  S  at  each  step  k  >  1  depends  only  on  the  kth  observation 
yk  ^  T,  and  an  identical  control  action  is  applied  at  each  of  the  states  in  the  set  where 
holds  (except  for  the  case  k.  =  1,  where  an  identical  control  is  applied  at  each 
of  the  states  in  the  set  where  M~l(y i)  A  I  holds).  Since  by  definition,  P f  X  M~1[yjt), 
S(Pjl f)  =  S(M~1(yk))-  Thus  the  term  sps(P jf)  in  the  recursion  step  is  well  defined. 
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Remark  5.8  It  can  be  proved,  similar  to  Lemma  5.5,  that  under  the  control  of  the  static 
controller  S  defined  in  Algorithm  5.7,  the  state  trajectories  of  the  system  remain  confined  to 
R,  i.e.  Vfc>i  Pk  —  R-  However,  the  static  control  law  S  is  more  restrictive  than  the  dynamic 
control  law  D° ,  for  at  every  step  k  >  1,  S  depends  on  M~l{yk),  whereas  D°  depends  on  Pk° , 
and  Pk°  X  M_1(yjt);  as  a  result,  Vfc>i  -Pjf  ^  V k>\  Pk°  ■  Thus  in  case  of  incomplete  state 
observations,  a  static  control  law  is  of  course  more  restrictive  than  a  dynamic  control  law. 
In  fact,  the  dynamic  control  law  D°  defined  in  Algorithm  5.3  is  the  minimally  restrictive 
control  law,  i.e.  if  D'  :  Y*  x  (2s)*  — ►  2s  is  any  other  control  law,  then  Vfc>i  Pk'  —  Vfc>  i  Rk°  ■ 

The  dynamic  control  law  D°  defined  in  Algorithm  5.3  and  the  static  control  law  defined 
in  Algorithm  5.7  can  both  be  implemented  by  controllers  of  the  type: 

Definition  5.9  Consider  the  plant  G  =f  (Vx ,  Y ,  sp,  I)  and  the  mask  M  :  X  —+  Y.  The 
controller  that  implements  the  dynamic  control  law  of  Algorithm  5.3  is  another  DEDS  C  =f 
(Vx,  Y  x  2s ,  spc,  Ic),  where  Vx  is  the  state  set  of  the  controller  C;  Y  x  2s  is  the  event  set  of 
C]  Ic  —  M~1(yi)  A I  is  initial  condition  of  C\  and  spc ,  the  strongest  postcondition  predicate 
transformer  of  C,  is  defined  to  be  (spcOiy.z1  )(P)  =  sp^,(P)  A  M  1(y)  for  each  P  €  Vx ,  y  £  Y 
and  S'CS  (sps,  =  V<76£'  sPa)- 

Finally,  we  present  a  necessary  and  sufficient  condition  under  which  a  solution  to  SPCOP 
exists,  the  proof  of  which  is  constructive  so  that  a  dynamic  control  law  D  that  solves  SPCOP 
is  automatically  obtained. 

Theorem  5.10  Consider  the  partially  observed  plant  G  under  the  mask  M.  Let  R  be  the 
required  predicate.  Then  a  solution  to  SPCOP  exists  if  and  only  if  R  is  controllable  and 
observable. 

Proof:  Assume  first  that  R  is  controllable  and  observable.  We  will  show  that  there  exists 
a  dynamic  control  law  D  such  that  (spD)*(I)  =  R.  Let  D  =  D° ,  where  D°  is  as  defined 
in  Algorithm  5.3.  Since  R  is  Eu-invariant  ( R  is  controllable)  and  Pk  ^  R  for  each  k  >  1 
(Lemma  5.5),  D°(=  D)  in  Algorithm  5.3  can  be  rewritten  to  yield  the  same  dynamic  control 
law: 

V<7  G  (S  —  Eu),cr  €  D°(Pk )  &  spa{Pk)  ■<  R]k  >  1 

In  other  words,  D°(=  D)  never  disables  any  uncontrollable  events. 

1.  ( spDo)*(I )  =  Vfc>i  Pk°  Ty  definition  of  D° 

2.  \Jk>\  Pk°  ~  R  iR  is  observable 

3.  ( sPd°)*(I )  =  R  ;from  1  and  2 

4.  (s Pd)*(I)  —  R  ;from  3  and  D  =  D° 

Next  we  show  that  if  there  exists  a  dynamic  control  law  D  such  that  ( spD)*(I )  =  R:  then  R 
is  controllable  and  observable. 
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1-  (5Pd)*(-0  —  R 

2-  (spD)*(I)  =  V /c>i  if 

3-  Vfc>i  if  =  i? 

4.  V k>l  if  1  V k>l  PkD° 

5.  i?  d  Vfc>!  if  ° 

6-  V*>i  PF  =<  ^ 

7-  Vfc^i  if  °  =  i? 

8.  R  is  observable 

9-  (SPD)*(I)  =  (spD)*(P) 

10.  ( spD)*(R )  =  R 

ii-  x  (spDY{R) 

12.  S/)*(R)  X  R 

13.  spu(R)  A  R 

14.  (spD  |fl)*(7)  =  77 

15.  (spD  | *)*(/)  A  (sp  |j?)*(/) 

16.  77  A  (sp  \r)*(I) 

17.  R  is  controllable 
This  complete  .  the  proof. 


;by  assumption 
;dehnition  of  D 
;from  1  and  2 

•,D°  is  minimally  restrictive  (Remark  5.8) 

;from  3  and  4 

;from  Lemma  5.5 

;from  5  and  6 

;from  7 

;apply  sp*D  on  1 
;from  1  and  9 

; ,spu  is  maximally  restrictive  control 

;from  10  and  11 

;using  Lemma  3.5 

;from  1  and  Lemma  4.3 

,D  restricts  behavior 

;from  14  and  15 

;from  13  and  16 


□ 


Example  5.11  Consider  the  problem  of  mutual  exclusion  discussed  in  Example  4.6  for  the 
Readers- Writers  program  of  Example  2.10.  Assume  that  the  mask  M  :  X  —>  Y  is  such  that 
the  number  of  writers  always  appears  to  be  the  same,  namely,  zero;  however,  the  number 
of  readers  can  be  observed  completely,  i.e.  M((nr  —  p,nw  =  q))  =  (nr  —  p,nw  —  0)  for  all 
(p,q)  €  As  discussed  in  Example  4.6,  the  mutual  exclusion  constraint  is  written  as  the 
required  predicate  R  —  (( nw  —  0)  V  ( nw  —  1  A  nr  —  0)),  and  it  is  controllable.  However,  R 
may  or  may  not  be  observable,  depending  on  the  initial  condition  I. 


Case  1:  I  =  (( nr,nw )  =  (0,0))  as  in  Example  2.10.  Then  R  is  observable,  as  in  this  case 
the  number  of  writers  is  completely  determined  by  observing  the  occurrences  of  events 
stjwt  and  end-wt.  Algorithm  5.3  yields  the  required  dynamic  supervisor. 

Case  2:  /  =  (nr  =  0)  A  ((nw  =  0)  V  (nw  =  1)).  In  this  case  the  number  of  writers  cannot  be 
fully  determined  by  the  past  observations,  and  R  is  not  observable.  Hence  a  dynamic 
supervisor  cannot  constructed  to  solve  SPCOP.  Under  the  control  of  the  dynamic 
supervisor  D°  :  Y*  x  (2f  *  — >  2s  as  described  in  Algorithm  5.3,  the  closed-loop  system 
can  only  achieve  the  predicate  (nw  =  0),  i.e.  (spD0)*(I)  —  (nw  =  0 )  8  £ 


6  Conclusion 

We  have  presented  in  this  paper  a  methodology  for  designing  controllers  for  a  wide  va¬ 
riety  of  systems  described  in  terms  of  a  set  of  predicates  and  a  set  of  predicate  transformers. 
Predicates  can  concisely  represent  an  infinite  state  space,  hence  many  of  the  discrete  event 
systems  including  clocks,  queues  with  unbounded  buffers  etc.  can  be  modeled  in  this  frame¬ 
work.  The  above  theory  can  also  be  useful  in  synthesizing  controller  programs  for  programs 
describing  possibly  complex  DEDS’s.  Thus  the  framework  is  quite  general. 
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The  strongest  postcondition  transformer  has  been  presented  as  a  fundamental  concept  for 
describing  the  state  space  evolution  of  a  DEDS.  We  have  presented  the  notion  of  duality  of 
predicates  and  shown  that  sp  and  wlp  are  duals  of  each  other.  Many  of  the  basic  properties 
of  a  predicate  transformer  have  been  highlighted,  and  the  relation  of  these  properties  to 
the  existence  of  extremal  solutions  of  some  predicate  equations  has  been  pointed  out.  We 
have  shown  how  these  properties  and  extremal  solutions  of  boolean  equations  can  be  applied 
for  supervisory  synthesis  purposes.  The  notion  of  controllability  of  a  required  predicate 
describing  the  set  of  legal  states  has  been  defined,  and  it  has  been  shown  that  controllability 
is  a  necessary  and  sufficient  condition  for  the  existence  of  a  supervisor  that  guarantees  the 
invariance  of  the  required  predicate  under  system  evolution.  The  supervisory  predicate 
control  problem  has  been  presented  and  solved  using  the  notion  of  controllability.  It  has 
further  been  shown  that  the  weakest  controllable  predicate  stronger  than  the  given  predicate 
exists,  and  hence  the  construction  of  minimally  restrictive  supervisors  is  possible  in  case  the 
required  predicate  is  not  controllable.  We  have  presented  a  method  for  computing  the 
weakest  controllable  predicate;  this  is  one  of  the  main  results  in  this  paper. 

We  also  address  the  problem  of  designing  supervisors  for  a  partially  observed  plant.  We 
introduce  the  notion  of  observability  which,  together  with  controllability,  is  a  necessary  and 
sufficient  condith  ■  for  the  existence  of  a  supervisor  that  solves  the  supervisory  predicate 
control  and  observation  problem  introduced  in  this  paper. 
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A  Proof  of  Theorem 

Proof:  We  prove  Theorem  3.10  by  way  of  cyclic  implication.  First  we  show  that  C-l  => 
C-2.  Note  that  since  /  is  disjunctive,  the  weakest  solution  in  C-l  exists. 


1.  f(g(P))  Y  P  ;from  C-l 

2.  conjunct  1  of  C-2  holds  ;from  1 

3.  P  is  a  solution  of  Q  :  f(Q)  Y  f(P)  ;/(P)  Y  f{P) 

4.  g(f(P))  is  weakest  solution  of  Q  :  f(Q)  Y  f(P)  ;from  C-l 

5.  P  Y  g{f{P))  ;from  3  and  4 

6.  conjunct  2  of  C-2  holds  ;from  5 


Next  we  show  that  C-2  =>•  C-3.  This  we  show  by  showing  that  under  C-2  the  LHS  of  C-3 
implies  RHS  of  C-3  and  vice  versa. 

1.  /(P)  Y  Q  ;assume  LHS  of  C-3 

2.  g(f(P))  Y  g(Q)  ;apply  g  on  1,  g  is  monotone  (Lemma  3.3) 

3.  P  Y  g(f{P))  ;conjunct  2  of  C-2 

4.  P  Y  g{Q)  ;from  2  and  3 

5.  RHS  of  C-3  holds  ;from  4 

6.  P  Y  g{Q)  ;assume  RHS  of  C-3 

7.  f(P)  Y  f(g(Q))  ;apply  /  on  6,  /  monotone  (Lemma  3.3) 

8.  f{g(Q))  Y  Q  ;conjunct  1  of  C-2  with  P  replaced  by  Q 

9.  /(P)  Y  Q  ;from  7  and  8 

10.  LHS  of  C-3  holds  ;from  9 

Next  we  show  that  C-3  =>•  C-4.  Since  g  is  conjunctive  and  P,  treated  as  a  constant  predicate 
transformer,  is  monotone,  it  follows  from  Theorem  3.8  that  the  strongest  solution  in  C-4 
exists. 


1. 

/(P)  Y/(P)^P  Y$(/(P)) 

; replace  Q  by  /(P)  in  C-3 

2. 

true  ttPY  g(f(P)) 

;from  1 

3. 

f(P)  a  solution  in  C-4 

;from  2 

4. 

P  Y  g(Q)  <*  /(P)  Y  Q 

Rewriting  C-3 

5. 

f{P)  strongest  solution  in  C-4 

;from  5 

Next  we  show  that  C-4  C-l. 
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1.  P  d  <j{Q)  44  f(P)  d  Q  \f{P)  is  the  strongest  solution  in  C-4 

2.  g(P)  d  g{P)  44  f(g{P))  d  p  replace  P,Q  by  g(P),P  respectively  in  1 

3.  true  44  f(g(P))  d  P  simplifying  2 

4.  f(P)  a  solution  in  C-l  ;frorn  3 

5-  f(P)  d  Q  44  P  d  g{Q)  ;rewritting  1 

6-  f(Q)  d  P  44  Q  d  g{P)  :replace  P ,  Q  by  Q ,  P  respectively  in  5 

7.  g(P)  weakest  solution  in  C-l  ;from  6 

This  completes  the  proof  of  Theorem  3.10.  □ 
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